ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ab...@apache.org
Subject [5/8] ranger git commit: RANGER-2203, RANGER-2219: Review and update database schema for ranger policies and tag objects to minimize database queries/updates; back-port of RANGER-2186, RANGER-2195
Date Fri, 19 Oct 2018 02:28:41 GMT
http://git-wip-us.apache.org/repos/asf/ranger/blob/c84b98fb/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index ceee8ce..a3e0261 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -19,6 +19,12 @@
 
 package org.apache.ranger.biz;
 
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.UnknownHostException;
+import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -27,18 +33,11 @@ import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
-import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Map;
-import java.util.Set;
 import java.util.Map.Entry;
+import java.util.Set;
 import java.util.StringTokenizer;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.net.UnknownHostException;
-import java.text.SimpleDateFormat;
 
 import javax.annotation.PostConstruct;
 import javax.servlet.ServletOutputStream;
@@ -50,22 +49,30 @@ import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.SecureClientLogin;
+import org.apache.hadoop.security.authentication.util.KerberosName;
+import org.apache.poi.hssf.usermodel.HSSFWorkbook;
+import org.apache.poi.ss.usermodel.Cell;
+import org.apache.poi.ss.usermodel.CellStyle;
+import org.apache.poi.ss.usermodel.Font;
+import org.apache.poi.ss.usermodel.Row;
+import org.apache.poi.ss.usermodel.Sheet;
+import org.apache.poi.ss.usermodel.Workbook;
 import org.apache.ranger.audit.provider.MiscUtil;
 import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
 import org.apache.ranger.common.AppConstants;
 import org.apache.ranger.common.ContextUtil;
 import org.apache.ranger.common.MessageEnums;
-import org.apache.ranger.common.RangerCommonEnums;
+import org.apache.ranger.common.db.RangerTransactionSynchronizationAdapter;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
 import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
 import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
-import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
-import org.apache.ranger.plugin.service.RangerBaseService;
 import org.apache.ranger.plugin.store.ServiceStore;
 import org.apache.ranger.plugin.util.PasswordUtils;
 import org.apache.ranger.common.JSONUtil;
 import org.apache.ranger.common.PropertiesUtil;
 import org.apache.ranger.common.RESTErrorUtil;
+import org.apache.ranger.common.RangerConstants;
 import org.apache.ranger.common.RangerFactory;
 import org.apache.ranger.common.RangerServicePoliciesCache;
 import org.apache.ranger.common.RangerVersionInfo;
@@ -79,15 +86,6 @@ import org.apache.ranger.db.XXDataMaskTypeDefDao;
 import org.apache.ranger.db.XXEnumDefDao;
 import org.apache.ranger.db.XXEnumElementDefDao;
 import org.apache.ranger.db.XXPolicyConditionDefDao;
-import org.apache.ranger.db.XXPolicyItemAccessDao;
-import org.apache.ranger.db.XXPolicyItemConditionDao;
-import org.apache.ranger.db.XXPolicyItemDao;
-import org.apache.ranger.db.XXPolicyItemDataMaskInfoDao;
-import org.apache.ranger.db.XXPolicyItemGroupPermDao;
-import org.apache.ranger.db.XXPolicyItemRowFilterInfoDao;
-import org.apache.ranger.db.XXPolicyItemUserPermDao;
-import org.apache.ranger.db.XXPolicyResourceDao;
-import org.apache.ranger.db.XXPolicyResourceMapDao;
 import org.apache.ranger.db.XXResourceDefDao;
 import org.apache.ranger.db.XXServiceConfigDefDao;
 import org.apache.ranger.db.XXServiceConfigMapDao;
@@ -101,18 +99,11 @@ import org.apache.ranger.entity.XXDataHist;
 import org.apache.ranger.entity.XXDataMaskTypeDef;
 import org.apache.ranger.entity.XXEnumDef;
 import org.apache.ranger.entity.XXEnumElementDef;
-import org.apache.ranger.entity.XXGroup;
 import org.apache.ranger.entity.XXPolicy;
 import org.apache.ranger.entity.XXPolicyConditionDef;
-import org.apache.ranger.entity.XXPolicyItem;
-import org.apache.ranger.entity.XXPolicyItemAccess;
-import org.apache.ranger.entity.XXPolicyItemCondition;
-import org.apache.ranger.entity.XXPolicyItemDataMaskInfo;
-import org.apache.ranger.entity.XXPolicyItemGroupPerm;
-import org.apache.ranger.entity.XXPolicyItemRowFilterInfo;
-import org.apache.ranger.entity.XXPolicyItemUserPerm;
-import org.apache.ranger.entity.XXPolicyResource;
-import org.apache.ranger.entity.XXPolicyResourceMap;
+import org.apache.ranger.entity.XXPolicyRefAccessType;
+import org.apache.ranger.entity.XXPolicyRefCondition;
+import org.apache.ranger.entity.XXPolicyRefResource;
 import org.apache.ranger.entity.XXResourceDef;
 import org.apache.ranger.entity.XXService;
 import org.apache.ranger.entity.XXServiceConfigDef;
@@ -123,13 +114,11 @@ import org.apache.ranger.entity.XXTrxLog;
 import org.apache.ranger.entity.XXUser;
 import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem;
 import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
 import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -144,7 +133,6 @@ import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
 import org.apache.ranger.plugin.model.RangerServiceDef.RangerRowFilterDef;
 import org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef;
 import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper;
-import org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator;
 import org.apache.ranger.plugin.store.AbstractServiceStore;
 import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
 import org.apache.ranger.plugin.store.PList;
@@ -161,15 +149,14 @@ import org.apache.ranger.service.RangerServiceDefService;
 import org.apache.ranger.service.RangerServiceDefWithAssignedIdService;
 import org.apache.ranger.service.RangerServiceService;
 import org.apache.ranger.service.RangerServiceWithAssignedIdService;
-import org.apache.ranger.service.XGroupService;
 import org.apache.ranger.service.XUserService;
 import org.apache.ranger.view.RangerExportPolicyList;
 import org.apache.ranger.view.RangerPolicyList;
 import org.apache.ranger.view.RangerServiceDefList;
 import org.apache.ranger.view.RangerServiceList;
-import org.apache.ranger.view.VXGroup;
 import org.apache.ranger.view.VXString;
 import org.apache.ranger.view.VXUser;
+import org.codehaus.jettison.json.JSONException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Component;
@@ -177,14 +164,6 @@ import org.springframework.transaction.PlatformTransactionManager;
 import org.springframework.transaction.TransactionStatus;
 import org.springframework.transaction.support.TransactionCallback;
 import org.springframework.transaction.support.TransactionTemplate;
-import org.apache.poi.hssf.usermodel.HSSFWorkbook;
-import org.apache.poi.ss.usermodel.Cell;
-import org.apache.poi.ss.usermodel.CellStyle;
-import org.apache.poi.ss.usermodel.Font;
-import org.apache.poi.ss.usermodel.Row;
-import org.apache.poi.ss.usermodel.Sheet;
-import org.apache.poi.ss.usermodel.Workbook;
-import org.codehaus.jettison.json.JSONException;
 
 import com.google.gson.Gson;
 
@@ -192,26 +171,38 @@ import com.google.gson.Gson;
 public class ServiceDBStore extends AbstractServiceStore {
 	private static final Log LOG = LogFactory.getLog(ServiceDBStore.class);
 
+	public static final String RANGER_TAG_EXPIRY_CONDITION_NAME = "accessed-after-expiry";
+
+	private static final String ADMIN_USER_PRINCIPAL      = "ranger.admin.kerberos.principal";
+	private static final String ADMIN_USER_KEYTAB         = "ranger.admin.kerberos.keytab";
+	private static final String LOOKUP_PRINCIPAL          = "ranger.lookup.kerberos.principal";
+	private static final String LOOKUP_KEYTAB             = "ranger.lookup.kerberos.keytab";
+	private static final String RANGER_AUTH_TYPE          = "hadoop.security.authentication";
+	private static final String AMBARI_SERVICE_CHECK_USER = "ambari.service.check.user";
+
+	private static final String KERBEROS_TYPE             = "kerberos";
+
 	private static final String POLICY_ALLOW_EXCLUDE = "Policy Allow:Exclude";
-	//private static final String POLICY_ALLOW_INCLUDE = "Policy Allow:Include";
-	private static final String POLICY_DENY_EXCLUDE = "Policy Deny:Exclude";
-	private static final String POLICY_DENY_INCLUDE = "Policy Deny:Include";
-	
-	private static String LOCAL_HOSTNAME = "unknown";
-	private static final String HOSTNAME = "Host name";
-	private static final String USER_NAME = "Exported by";
+	private static final String POLICY_ALLOW_INCLUDE = "Policy Allow:Include";
+	private static final String POLICY_DENY_EXCLUDE  = "Policy Deny:Exclude";
+	private static final String POLICY_DENY_INCLUDE  = "Policy Deny:Include";
+
+	private static       String LOCAL_HOSTNAME = "unknown";
+	private static final String HOSTNAME       = "Host name";
+	private static final String USER_NAME      = "Exported by";
 	private static final String RANGER_VERSION = "Ranger apache version";
-	private static final String TIMESTAMP = "Export time";
+	private static final String TIMESTAMP      = "Export time";
 
-	private static final String AMBARI_SERVICE_CHECK_USER = "ambari.service.check.user";
-	private static final String SERVICE_ADMIN_USERS = "service.admin.users";
-	
-        public static final String CRYPT_ALGO = PropertiesUtil.getProperty("ranger.password.encryption.algorithm", PasswordUtils.DEFAULT_CRYPT_ALGO);
-        public static final String ENCRYPT_KEY = PropertiesUtil.getProperty("ranger.password.encryption.key", PasswordUtils.DEFAULT_ENCRYPT_KEY);
-        public static final String SALT = PropertiesUtil.getProperty("ranger.password.salt", PasswordUtils.DEFAULT_SALT);
-        public static final Integer ITERATION_COUNT = PropertiesUtil.getIntProperty("ranger.password.iteration.count", PasswordUtils.DEFAULT_ITERATION_COUNT);
+	private static final String AUDITTOHDFS_KMS_PATH    = "/ranger/audit/kms";
+	private static final String AUDITTOHDFS_POLICY_NAME = "kms-audit-path";
+	private static final String SERVICE_ADMIN_USERS     = "service.admin.users";
 
-    static {
+	public static final String  CRYPT_ALGO      = PropertiesUtil.getProperty("ranger.password.encryption.algorithm", PasswordUtils.DEFAULT_CRYPT_ALGO);
+	public static final String  ENCRYPT_KEY     = PropertiesUtil.getProperty("ranger.password.encryption.key", PasswordUtils.DEFAULT_ENCRYPT_KEY);
+	public static final String  SALT            = PropertiesUtil.getProperty("ranger.password.salt", PasswordUtils.DEFAULT_SALT);
+	public static final Integer ITERATION_COUNT = PropertiesUtil.getIntProperty("ranger.password.iteration.count", PasswordUtils.DEFAULT_ITERATION_COUNT);
+	
+	static {
 		try {
 			LOCAL_HOSTNAME = java.net.InetAddress.getLocalHost().getCanonicalHostName();
 		} catch (UnknownHostException e) {
@@ -247,7 +238,7 @@ public class ServiceDBStore extends AbstractServiceStore {
 	XUserMgr xUserMgr;
 
 	@Autowired
-	XGroupService xGroupService;
+	PolicyRefUpdater policyRefUpdater;
 
 	@Autowired
 	RangerDataHistService dataHistService;
@@ -277,7 +268,14 @@ public class ServiceDBStore extends AbstractServiceStore {
 	@Autowired
 	ServiceMgr serviceMgr;
 
+        @Autowired
+        AssetMgr assetMgr;
+
+	@Autowired
+	RangerTransactionSynchronizationAdapter transactionSynchronizationAdapter;
+
 	private static volatile boolean legacyServiceDefsInitDone = false;
+
 	private Boolean populateExistingBaseFields = false;
 	
 	public static final String HIDDEN_PASSWORD_STR = "*****";
@@ -288,7 +286,6 @@ public class ServiceDBStore extends AbstractServiceStore {
 
 	private ServicePredicateUtil predicateUtil = null;
 
-
 	@Override
 	public void init() throws Exception {
 		if (LOG.isDebugEnabled()) {
@@ -735,8 +732,8 @@ public class ServiceDBStore extends AbstractServiceStore {
 				}
 			}
 			if (!found) {
-				List<XXPolicyResource> policyResList = daoMgr.getXXPolicyResource().findByResDefId(xRes.getId());
-				if (!stringUtil.isEmpty(policyResList)) {
+				List<XXPolicyRefResource> xxPolicyRefResource = daoMgr.getXXPolicyRefResource().findByResourceDefID(xRes.getId());
+				if (!stringUtil.isEmpty(xxPolicyRefResource)) {
 					throw restErrorUtil.createRESTException("Policy/Policies are referring to this resource: "
 							+ xRes.getName() + ". Please remove such references from policy before updating service-def.",
 							MessageEnums.DATA_NOT_UPDATABLE);
@@ -822,8 +819,8 @@ public class ServiceDBStore extends AbstractServiceStore {
 				}
 			}
 			if (!found) {
-				List<XXPolicyItemAccess> polItemAccessList = daoMgr.getXXPolicyItemAccess().findByType(xAccess.getId());
-				if(!stringUtil.isEmpty(polItemAccessList)) {
+				List<XXPolicyRefAccessType> policyRefAccessTypeList = daoMgr.getXXPolicyRefAccessType().findByAccessTypeDefId(xAccess.getId());
+				if(!stringUtil.isEmpty(policyRefAccessTypeList)) {
 					throw restErrorUtil.createRESTException("Policy/Policies are referring to this access-type: "
 							+ xAccess.getName() + ". Please remove such references from policy before updating service-def.",
 							MessageEnums.DATA_NOT_UPDATABLE);
@@ -865,15 +862,14 @@ public class ServiceDBStore extends AbstractServiceStore {
 				}
 			}
 			if(!found) {
-				List<XXPolicyItemCondition> policyItemCondList = daoMgr.getXXPolicyItemCondition()
-						.findByPolicyConditionDefId(xCondition.getId());
-				if(!stringUtil.isEmpty(policyItemCondList)) {
+				List<XXPolicyRefCondition> xxPolicyRefConditions = daoMgr.getXXPolicyRefCondition().findByConditionDefId(xCondition.getId());
+				if(!stringUtil.isEmpty(xxPolicyRefConditions)) {
 					throw restErrorUtil.createRESTException("Policy/Policies are referring to this policy-condition: "
 							+ xCondition.getName() + ". Please remove such references from policy before updating service-def.",
 							MessageEnums.DATA_NOT_UPDATABLE);
 				}
-				for(XXPolicyItemCondition policyItemCond : policyItemCondList) {
-					daoMgr.getXXPolicyItemCondition().remove(policyItemCond);
+				for(XXPolicyRefCondition xxPolicyRefCondition : xxPolicyRefConditions) {
+					daoMgr.getXXPolicyRefCondition().remove(xxPolicyRefCondition);
 				}
 				xxPolCondDao.remove(xCondition);
 			}
@@ -1206,9 +1202,9 @@ public class ServiceDBStore extends AbstractServiceStore {
 		List<XXPolicyConditionDef> policyCondList = policyCondDao.findByServiceDefId(serviceDefId);
 		
 		for (XXPolicyConditionDef policyCond : policyCondList) {
-			List<XXPolicyItemCondition> policyItemCondList = daoMgr.getXXPolicyItemCondition().findByPolicyConditionDefId(policyCond.getId());
-			for (XXPolicyItemCondition policyItemCond : policyItemCondList) {
-				daoMgr.getXXPolicyItemCondition().remove(policyItemCond);
+			List<XXPolicyRefCondition> xxPolicyRefConditions = daoMgr.getXXPolicyRefCondition().findByConditionDefId(policyCond.getId());
+			for (XXPolicyRefCondition XXPolicyRefCondition : xxPolicyRefConditions) {
+				daoMgr.getXXPolicyRefCondition().remove(XXPolicyRefCondition);
 			}
 			policyCondDao.remove(policyCond);
 		}
@@ -1258,37 +1254,25 @@ public class ServiceDBStore extends AbstractServiceStore {
 			daoMgr.getXXAccessTypeDefGrants().remove(atdGrant);
 		}
 
-		List<XXPolicyItemAccess> policyItemAccessList = daoMgr.getXXPolicyItemAccess().findByType(xAccess.getId());
-		for (XXPolicyItemAccess policyItemAccess : policyItemAccessList) {
-			daoMgr.getXXPolicyItemAccess().remove(policyItemAccess);
+		List<XXPolicyRefAccessType> policyRefAccessTypeList = daoMgr.getXXPolicyRefAccessType().findByAccessTypeDefId(xAccess.getId());
+		for (XXPolicyRefAccessType xxPolicyRefAccessType : policyRefAccessTypeList) {
+			daoMgr.getXXPolicyRefAccessType().remove(xxPolicyRefAccessType);
 		}
 		daoMgr.getXXAccessTypeDef().remove(xAccess);
 	}
 
 	public void deleteXXResourceDef(XXResourceDef xRes) {
-
 		List<XXResourceDef> xChildObjs = daoMgr.getXXResourceDef().findByParentResId(xRes.getId());
 		for(XXResourceDef childRes : xChildObjs) {
 			deleteXXResourceDef(childRes);
 		}
-
-		List<XXPolicyResource> xxResources = daoMgr.getXXPolicyResource().findByResDefId(xRes.getId());
-		for (XXPolicyResource xPolRes : xxResources) {
-			deleteXXPolicyResource(xPolRes);
+		List<XXPolicyRefResource> xxPolicyRefResources = daoMgr.getXXPolicyRefResource().findByResourceDefID(xRes.getId());
+		for (XXPolicyRefResource xPolRefRes : xxPolicyRefResources) {
+			daoMgr.getXXPolicyRefResource().remove(xPolRefRes);
 		}
-
 		daoMgr.getXXResourceDef().remove(xRes);
 	}
 
-	public void deleteXXPolicyResource(XXPolicyResource xPolRes) {
-		List<XXPolicyResourceMap> polResMapList = daoMgr.getXXPolicyResourceMap().findByPolicyResId(xPolRes.getId());
-		XXPolicyResourceMapDao polResMapDao = daoMgr.getXXPolicyResourceMap();
-		for (XXPolicyResourceMap xxPolResMap : polResMapList) {
-			polResMapDao.remove(xxPolResMap);
-		}
-		daoMgr.getXXPolicyResource().remove(xPolRes);
-	}
-
 	@Override
 	public RangerServiceDef getServiceDef(Long id) throws Exception {
 		if (LOG.isDebugEnabled()) {
@@ -1439,10 +1423,7 @@ public class ServiceDBStore extends AbstractServiceStore {
 			xConfMap.setServiceId(xCreatedService.getId());
 			xConfMap.setConfigkey(configKey);
 			xConfMap.setConfigvalue(configValue);
-			xConfMapDao.create(xConfMap);
-		}
-		if (LOG.isDebugEnabled()) {
-			LOG.debug("vXUser:[" + vXUser + "]");
+			xConfMap = xConfMapDao.create(xConfMap);
 		}
 		RangerService createdService = svcService.getPopulatedViewObject(xCreatedService);
 
@@ -1457,7 +1438,7 @@ public class ServiceDBStore extends AbstractServiceStore {
 		bizUtil.createTrxLog(trxLogList);
 
 		if (createDefaultPolicy) {
-			createDefaultPolicies(createdService);
+			createDefaultPolicies(xCreatedService, vXUser);
 		}
 
 		return createdService;
@@ -1599,25 +1580,21 @@ public class ServiceDBStore extends AbstractServiceStore {
 								+ userName + "] please use existing user", MessageEnums.OPER_NO_PERMISSION);
 					}
 					vXUser = xUserMgr.createServiceConfigUser(userName);
+					if (LOG.isDebugEnabled()) {
+						LOG.debug("Service config user created:[" + vXUser + "]");
+					}
 				}
 			}
-			
+
 			if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) {
 				if (StringUtils.equalsIgnoreCase(configValue, HIDDEN_PASSWORD_STR)) {
-					String[] crypt_algo_array = null;
-					if (configValue.contains(",")) {
-						crypt_algo_array = configValue.split(",");
-					}
-                                        if (oldPassword != null && oldPassword.contains(",")) {
-                                                String encryptKey = null;
-                                                String salt = null;
-                                                int iterationCount = 0;
-						crypt_algo_array = oldPassword.split(",");
-						String OLD_CRYPT_ALGO = crypt_algo_array[0];
-                                                encryptKey = crypt_algo_array[1];
-                                                salt = crypt_algo_array[2];
-                                                iterationCount = Integer.parseInt(crypt_algo_array[3]);
-						
+					if (oldPassword != null && oldPassword.contains(",")) {
+						String[] crypt_algo_array = oldPassword.split(",");
+						String   OLD_CRYPT_ALGO   = crypt_algo_array[0];
+						String   encryptKey       = crypt_algo_array[1];
+						String   salt             = crypt_algo_array[2];
+						int      iterationCount   = Integer.parseInt(crypt_algo_array[3]);
+
 						if (!OLD_CRYPT_ALGO.equalsIgnoreCase(CRYPT_ALGO)) {
 							String decryptedPwd = PasswordUtils.decryptPassword(oldPassword);
                                                         String paddingString = CRYPT_ALGO + "," +  encryptKey + "," + salt + "," + iterationCount;
@@ -1642,15 +1619,13 @@ public class ServiceDBStore extends AbstractServiceStore {
 					}
 				}
 			}
+
 			XXServiceConfigMap xConfMap = new XXServiceConfigMap();
 			xConfMap = (XXServiceConfigMap) rangerAuditFields.populateAuditFields(xConfMap, xUpdService);
 			xConfMap.setServiceId(service.getId());
 			xConfMap.setConfigkey(configKey);
 			xConfMap.setConfigvalue(configValue);
-			xConfMapDao.create(xConfMap);
-		}
-		if (LOG.isDebugEnabled()) {
-			LOG.debug("vXUser:[" + vXUser + "]");
+			xConfMap = xConfMapDao.create(xConfMap);
 		}
 		RangerService updService = svcService.getPopulatedViewObject(xUpdService);
 		dataHistService.createObjectDataHistory(updService, RangerDataHistService.ACTION_UPDATE);
@@ -1672,11 +1647,11 @@ public class ServiceDBStore extends AbstractServiceStore {
 		}
 
 		List<XXPolicy> policies = daoMgr.getXXPolicy().findByServiceId(service.getId());
-		RangerPolicy rangerPolicy =null;
+		//RangerPolicy rangerPolicy =null;
 		for(XXPolicy policy : policies) {
 			LOG.info("Deleting Policy, policyName: " + policy.getName());
-			rangerPolicy = getPolicy(policy.getId());
-			deletePolicy(rangerPolicy);
+			//rangerPolicy = getPolicy(policy.getId());
+			deletePolicy(policy.getId());
 		}
 
 		XXServiceConfigMapDao configDao = daoMgr.getXXServiceConfigMap();
@@ -1834,14 +1809,6 @@ public class ServiceDBStore extends AbstractServiceStore {
 			throw new Exception("policy already exists: ServiceName=" + policy.getService() + "; PolicyName=" + policy.getName() + ". ID=" + existing.getId());
 		}
 
-		Map<String, RangerPolicyResource> resources = policy.getResources();
-		List<RangerPolicyItem> policyItems     = policy.getPolicyItems();
-		List<RangerPolicyItem> denyPolicyItems = policy.getDenyPolicyItems();
-		List<RangerPolicyItem> allowExceptions = policy.getAllowExceptions();
-		List<RangerPolicyItem> denyExceptions  = policy.getDenyExceptions();
-		List<RangerDataMaskPolicyItem> dataMaskItems  = policy.getDataMaskPolicyItems();
-		List<RangerRowFilterPolicyItem> rowFilterItems = policy.getRowFilterPolicyItems();
-
 		policy.setVersion(Long.valueOf(1));
 		updatePolicySignature(policy);
 
@@ -1859,14 +1826,8 @@ public class ServiceDBStore extends AbstractServiceStore {
 		}
 
 		XXPolicy xCreatedPolicy = daoMgr.getXXPolicy().getById(policy.getId());
+		policyRefUpdater.createNewPolMappingForRefTable(policy, xCreatedPolicy, xServiceDef);
 
-		createNewResourcesForPolicy(policy, xCreatedPolicy, resources);
-		createNewPolicyItemsForPolicy(policy, xCreatedPolicy, policyItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW);
-		createNewPolicyItemsForPolicy(policy, xCreatedPolicy, denyPolicyItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY);
-		createNewPolicyItemsForPolicy(policy, xCreatedPolicy, allowExceptions, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS);
-		createNewPolicyItemsForPolicy(policy, xCreatedPolicy, denyExceptions, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS);
-		createNewDataMaskPolicyItemsForPolicy(policy, xCreatedPolicy, dataMaskItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATAMASK);
-		createNewRowFilterPolicyItemsForPolicy(policy, xCreatedPolicy, rowFilterItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ROWFILTER);
 		handlePolicyUpdate(service, true);
 		RangerPolicy createdPolicy = policyService.getPopulatedViewObject(xCreatedPolicy);
 		dataHistService.createObjectDataHistory(createdPolicy, RangerDataHistService.ACTION_CREATE);
@@ -1877,29 +1838,6 @@ public class ServiceDBStore extends AbstractServiceStore {
 		return createdPolicy;
 	}
 
-        private boolean validatePolicyItem(List<RangerPolicyItem> policyItems) {
-                boolean isPolicyItemValid=true;
-                for (RangerPolicyItem policyItem : policyItems) {
-                        if (policyItem != null) {
-                                if (CollectionUtils.isEmpty(policyItem.getUsers())
-                                                || (policyItem.getUsers() != null) && policyItem.getUsers().contains(null)
-                                                || (policyItem.getUsers().contains(""))) {
-                                        if (CollectionUtils.isEmpty(policyItem.getGroups())
-                                                        || (policyItem.getGroups() != null) && policyItem.getGroups().contains(null)
-                                                        || (policyItem.getGroups().contains(""))) {
-
-                                                isPolicyItemValid = false;
-                                        }
-                                }
-                                if (CollectionUtils.isEmpty(policyItem.getAccesses())
-                                                || (policyItem.getAccesses() != null) && policyItem.getAccesses().contains(null)) {
-                                        isPolicyItemValid = false;
-                                }
-                        }
-                }
-                return isPolicyItemValid;
-        }
-
 	@Override
 	public RangerPolicy updatePolicy(RangerPolicy policy) throws Exception {
 		if(LOG.isDebugEnabled()) {
@@ -1937,14 +1875,7 @@ public class ServiceDBStore extends AbstractServiceStore {
 				throw new Exception("another policy already exists with name '" + policy.getName() + "'. ID=" + newNamePolicy.getId());
 			}
 		}
-		Map<String, RangerPolicyResource> newResources = policy.getResources();
-		List<RangerPolicyItem> policyItems     = policy.getPolicyItems();
-		List<RangerPolicyItem> denyPolicyItems = policy.getDenyPolicyItems();
-		List<RangerPolicyItem> allowExceptions = policy.getAllowExceptions();
-		List<RangerPolicyItem> denyExceptions  = policy.getDenyExceptions();
-		List<RangerDataMaskPolicyItem> dataMaskPolicyItems = policy.getDataMaskPolicyItems();
-		List<RangerRowFilterPolicyItem> rowFilterItems = policy.getRowFilterPolicyItems();
-
+		
 		policy.setCreateTime(xxExisting.getCreateTime());
 		policy.setGuid(xxExisting.getGuid());
 		policy.setVersion(xxExisting.getVersion());
@@ -1958,26 +1889,19 @@ public class ServiceDBStore extends AbstractServiceStore {
 			isTagVersionUpdateNeeded = existing.getIsEnabled() ? !policy.getIsEnabled() : policy.getIsEnabled();
 			isTagVersionUpdateNeeded = isTagVersionUpdateNeeded || !StringUtils.equals(existing.getResourceSignature(), policy.getResourceSignature());
 		}
+
 		policy = policyService.update(policy);
 		XXPolicy newUpdPolicy = daoMgr.getXXPolicy().getById(policy.getId());
 
-		deleteExistingPolicyResources(policy);
-		deleteExistingPolicyItems(policy);
-		
-		createNewResourcesForPolicy(policy, newUpdPolicy, newResources);
-		createNewPolicyItemsForPolicy(policy, newUpdPolicy, policyItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW);
-		createNewPolicyItemsForPolicy(policy, newUpdPolicy, denyPolicyItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY);
-		createNewPolicyItemsForPolicy(policy, newUpdPolicy, allowExceptions, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS);
-		createNewPolicyItemsForPolicy(policy, newUpdPolicy, denyExceptions, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS);
-		createNewDataMaskPolicyItemsForPolicy(policy, newUpdPolicy, dataMaskPolicyItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATAMASK);
-		createNewRowFilterPolicyItemsForPolicy(policy, newUpdPolicy, rowFilterItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ROWFILTER);
-
-		handlePolicyUpdate(service, isTagVersionUpdateNeeded);
+		policyRefUpdater.cleanupRefTables(policy);
+		policyRefUpdater.createNewPolMappingForRefTable(policy, newUpdPolicy, xServiceDef);
+
+        handlePolicyUpdate(service, isTagVersionUpdateNeeded);
 		RangerPolicy updPolicy = policyService.getPopulatedViewObject(newUpdPolicy);
 		dataHistService.createObjectDataHistory(updPolicy, RangerDataHistService.ACTION_UPDATE);
 		
 		bizUtil.createTrxLog(trxLogList);
-		
+
 		return updPolicy;
 	}
 
@@ -2011,10 +1935,7 @@ public class ServiceDBStore extends AbstractServiceStore {
 		policy.setVersion(version);
 		
 		List<XXTrxLog> trxLogList = policyService.getTransactionLog(policy, RangerPolicyService.OPERATION_DELETE_CONTEXT);
-		
-		deleteExistingPolicyItems(policy);
-		deleteExistingPolicyResources(policy);
-		
+		policyRefUpdater.cleanupRefTables(policy);
 		policyService.delete(policy);
 		handlePolicyUpdate(service, true);
 		
@@ -2024,7 +1945,7 @@ public class ServiceDBStore extends AbstractServiceStore {
 		
 		LOG.info("Policy Deleted Successfully. PolicyName : " + policyName);
 	}
-
+/*
 	public void deletePolicy(RangerPolicy policy) throws Exception {
 		if(policy == null) {
 			return;
@@ -2045,13 +1966,11 @@ public class ServiceDBStore extends AbstractServiceStore {
 		}
 		policy.setVersion(version);
 		List<XXTrxLog> trxLogList = policyService.getTransactionLog(policy, RangerPolicyService.OPERATION_DELETE_CONTEXT);
-		deleteExistingPolicyItemsNative(policy);
-		deleteExistingPolicyResourcesNative(policy);
 		daoMgr.getXXPolicy().deletePolicyIDReference("id",policy.getId());
 		handlePolicyUpdate(service, true);
 		dataHistService.createObjectDataHistory(policy, RangerDataHistService.ACTION_DELETE);
 		bizUtil.createTrxLog(trxLogList);
-	}
+	}*/
 
 	@Override
 	public RangerPolicy getPolicy(Long id) throws Exception {
@@ -2087,7 +2006,6 @@ public class ServiceDBStore extends AbstractServiceStore {
 		return ret;
 	}
 
-
 	public void getPoliciesInExcel(List<RangerPolicy> policies, HttpServletResponse response) throws Exception {
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceDBStore.getPoliciesInExcel()");
@@ -2570,134 +2488,428 @@ public class ServiceDBStore extends AbstractServiceStore {
 		return ret;
 	}
 
-	void createDefaultPolicies(RangerService createdService) throws Exception {
+	void createDefaultPolicies(XXService createdService, VXUser vXUser) throws Exception {
+		RangerServiceDef serviceDef = getServiceDef(createdService.getType());
+
+		if (serviceDef.getName().equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME)) {
+			createDefaultTagPolicy(createdService);
+		} else {
+			// we need to create one policy for each resource hierarchy
+			RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
+			for (List<RangerResourceDef> aHierarchy : serviceDefHelper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS)) {
+				RangerPolicy policy = new RangerPolicy();
+				createDefaultPolicy(policy, createdService, vXUser, aHierarchy);
+				policy = createPolicy(policy);
+				RangerPolicy policyAudit = new RangerPolicy();
+				createPolicyForKeyAdmin(policyAudit, serviceDef, aHierarchy, createdService);
+			}
+		}
+	}
+
+	private void createPolicyForKeyAdmin(RangerPolicy policyAudit, RangerServiceDef serviceDef, List<RangerResourceDef> aHierarchy, XXService createdService) {
+		if (serviceDef.getName().equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HDFS_NAME)) {
+			try {
+                // we need to create one policy for keyadmin user for audit to HDFS
+                RangerPolicy policy = getPolicyForKMSAudit(aHierarchy , createdService.getName(), serviceDef);
+				if (policy != null) {
+					createPolicy(policy);
+				}
+			} catch (Exception e) {
+                LOG.error("Error creating policy for keyadmin for audit to HDFS : " + serviceDef.getName(), e);
+			}
+		}
+	}
+
+	private RangerPolicy getPolicyForKMSAudit(List<RangerResourceDef> resourceHierarchy, String serviceName, RangerServiceDef serviceDef) {
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("==> ServiceDBStore.getPolicyForKMSAudit()");
+	    }
 
-		RangerBaseService svc = serviceMgr.getRangerServiceByService(createdService, this);
+	    RangerPolicy policy = new RangerPolicy();
 
-		if (svc != null) {
+	    policy.setIsEnabled(true);
+	    policy.setVersion(1L);
+	    policy.setName(AUDITTOHDFS_POLICY_NAME);
+		policy.setService(serviceName);
+	    policy.setDescription("Policy for " + AUDITTOHDFS_POLICY_NAME);
+	    policy.setIsAuditEnabled(true);
+	    policy.setResources(createKMSAuditResource(resourceHierarchy));
 
-			List<String> serviceCheckUsers = getServiceCheckUsers(createdService);
+	    List<RangerPolicy.RangerPolicyItem> policyItems = new ArrayList<RangerPolicy.RangerPolicyItem>();
+	    //Create policy item for keyadmin
+	    RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
+	    List<String> userKeyAdmin = new ArrayList<String>();
+	    userKeyAdmin.add("keyadmin");
+	    policyItem.setUsers(userKeyAdmin);
+	    policyItem.setAccesses(getAndAllowAllAccesses(serviceDef));
+	    policyItem.setDelegateAdmin(false);
 
-			List<RangerPolicy.RangerPolicyItemAccess> allAccesses = svc.getAndAllowAllAccesses();
+	    policyItems.add(policyItem);
+	    policy.setPolicyItems(policyItems);
 
-			List<RangerPolicy> defaultPolicies = svc.getDefaultRangerPolicies();
+	    if (LOG.isDebugEnabled()) {
+	            LOG.debug("<== ServiceDBStore.getPolicyForKMSAudit()" + policy);
+	    }
 
-			if (CollectionUtils.isNotEmpty(defaultPolicies)) {
+	    return policy;
+	}
 
-				createDefaultPolicyUsersAndGroups(defaultPolicies);
+	public List<RangerPolicy.RangerPolicyItemAccess> getAndAllowAllAccesses(RangerServiceDef serviceDef) {
+		List<RangerPolicy.RangerPolicyItemAccess> ret = new ArrayList<RangerPolicy.RangerPolicyItemAccess>();
+
+		for (RangerServiceDef.RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) {
+			RangerPolicy.RangerPolicyItemAccess access = new RangerPolicy.RangerPolicyItemAccess();
+			access.setType(accessTypeDef.getName());
+			access.setIsAllowed(true);
+			ret.add(access);
+		}
+		return ret;
+	}
 
-				for (RangerPolicy defaultPolicy : defaultPolicies) {
-                                        List<RangerPolicyItem> policyItems = defaultPolicy.getPolicyItems();
-					if (CollectionUtils.isNotEmpty(serviceCheckUsers)
-							&& StringUtils.equalsIgnoreCase(defaultPolicy.getService(), createdService.getName())) {
+	private Map<String, RangerPolicyResource> createKMSAuditResource(
+			List<RangerServiceDef.RangerResourceDef> resourceHierarchy) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> ServiceDBStore.createKMSAuditResource()");
+		}
+		Map<String, RangerPolicy.RangerPolicyResource> resourceMap = new HashMap<>();
 
-						RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
+		for (RangerServiceDef.RangerResourceDef resourceDef : resourceHierarchy) {
+			RangerPolicy.RangerPolicyResource polRes = new RangerPolicy.RangerPolicyResource();
 
-						policyItem.setUsers(serviceCheckUsers);
-						policyItem.setAccesses(allAccesses);
-						policyItem.setDelegateAdmin(true);
+			polRes.setIsExcludes(false);
+			polRes.setIsRecursive(resourceDef.getRecursiveSupported());
+			polRes.setValue(AUDITTOHDFS_KMS_PATH);
 
-						defaultPolicy.getPolicyItems().add(policyItem);
-					}
-                                        boolean isPolicyItemValid=validatePolicyItem(policyItems);
-                                        if (isPolicyItemValid) {
-                                                createPolicy(defaultPolicy);
-                                        } else {
-                                                LOG.warn("Default policy won't be created,since policyItems not valid-either users/groups not present or access not present in policy.");
-                                        }
+			resourceMap.put(resourceDef.getName(), polRes);
+		}
 
-				}
-			}
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== ServiceDBStore.createKMSAuditResource():"
+					+ resourceMap);
 		}
+		return resourceMap;
 	}
 
-	void createDefaultPolicyUsersAndGroups(List<RangerPolicy> defaultPolicies) {
-		Set<String> defaultPolicyUsers = new HashSet<String>();
-		Set<String> defaultPolicyGroups = new HashSet<String>();
+	private void createDefaultTagPolicy(XXService createdService) throws Exception {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> ServiceDBStore.createDefaultTagPolicy() ");
+		}
 
-		for (RangerPolicy defaultPolicy : defaultPolicies) {
+		String tagResourceDefName = null;
+		boolean isConditionDefFound = false;
 
-			for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getPolicyItems()) {
-				defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
-				defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
-			}
-			for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getAllowExceptions()) {
-				defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
-				defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
-			}
-			for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getDenyPolicyItems()) {
-				defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
-				defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
+		RangerServiceDef tagServiceDef = getServiceDef(createdService.getType());
+		List<RangerResourceDef> tagResourceDef = tagServiceDef.getResources();
+		if (tagResourceDef != null && tagResourceDef.size() > 0) {
+			// Assumption : First (and perhaps the only) resourceDef is the name of the tag resource
+			RangerResourceDef theTagResourceDef = tagResourceDef.get(0);
+			tagResourceDefName = theTagResourceDef.getName();
+		} else {
+			LOG.error("ServiceDBStore.createService() - Cannot create default TAG policy: Cannot get tagResourceDef Name.");
+		}
+
+		List<RangerPolicyConditionDef> policyConditionDefs = tagServiceDef.getPolicyConditions();
+
+		if (CollectionUtils.isNotEmpty(policyConditionDefs)) {
+			for (RangerPolicyConditionDef conditionDef : policyConditionDefs) {
+				if (conditionDef.getName().equals(RANGER_TAG_EXPIRY_CONDITION_NAME)) {
+					isConditionDefFound = true;
+					break;
+				}
 			}
-			for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getDenyExceptions()) {
-				defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
-				defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
+		}
+		if (!isConditionDefFound) {
+			LOG.error("ServiceDBStore.createService() - Cannot create default TAG policy: Cannot get tagPolicyConditionDef with name=" + RANGER_TAG_EXPIRY_CONDITION_NAME);
+		}
+
+		if (tagResourceDefName != null && isConditionDefFound) {
+
+			String tagType = "EXPIRES_ON";
+
+			String policyName = tagType;
+
+			RangerPolicy policy = new RangerPolicy();
+
+			policy.setIsEnabled(true);
+			policy.setVersion(1L);
+			policy.setName(StringUtils.trim(policyName));
+			policy.setService(createdService.getName());
+			policy.setDescription("Policy for data with " + tagType + " tag");
+			policy.setIsAuditEnabled(true);
+
+			Map<String, RangerPolicyResource> resourceMap = new HashMap<String, RangerPolicyResource>();
+
+			RangerPolicyResource polRes = new RangerPolicyResource();
+			polRes.setIsExcludes(false);
+			polRes.setIsRecursive(false);
+			polRes.setValue(tagType);
+			resourceMap.put(tagResourceDefName, polRes);
+
+			policy.setResources(resourceMap);
+
+			List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicyItem>();
+
+			RangerPolicyItem policyItem = new RangerPolicyItem();
+
+			List<String> groups = new ArrayList<String>();
+			groups.add(RangerConstants.GROUP_PUBLIC);
+			policyItem.setGroups(groups);
+
+			List<XXAccessTypeDef> accessTypeDefs = daoMgr.getXXAccessTypeDef().findByServiceDefId(createdService.getType());
+			List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
+			for (XXAccessTypeDef accessTypeDef : accessTypeDefs) {
+				RangerPolicyItemAccess access = new RangerPolicyItemAccess();
+				access.setType(accessTypeDef.getName());
+				access.setIsAllowed(true);
+				accesses.add(access);
 			}
-			for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getDataMaskPolicyItems()) {
-				defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
-				defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
+			policyItem.setAccesses(accesses);
+
+			List<RangerPolicyItemCondition> policyItemConditions = new ArrayList<RangerPolicyItemCondition>();
+			List<String> values = new ArrayList<String>();
+			values.add("yes");
+			RangerPolicyItemCondition policyItemCondition = new RangerPolicyItemCondition(RANGER_TAG_EXPIRY_CONDITION_NAME, values);
+			policyItemConditions.add(policyItemCondition);
+
+			policyItem.setConditions(policyItemConditions);
+			policyItem.setDelegateAdmin(Boolean.FALSE);
+
+			policyItems.add(policyItem);
+
+			policy.setDenyPolicyItems(policyItems);
+
+			policy = createPolicy(policy);
+		} else {
+			LOG.error("ServiceDBStore.createService() - Cannot create default TAG policy, tagResourceDefName=" + tagResourceDefName +
+					", tagPolicyConditionName=" + RANGER_TAG_EXPIRY_CONDITION_NAME);
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== ServiceDBStore.createDefaultTagPolicy()");
+		}
+	}
+
+	private String buildPolicyName(List<RangerResourceDef> resourceHierarchy) {
+		String ret = "all";
+		if (CollectionUtils.isNotEmpty(resourceHierarchy)) {
+			int resourceDefCount = 0;
+			for (RangerResourceDef resourceDef : resourceHierarchy) {
+				if (resourceDefCount > 0) {
+					ret += ", ";
+				} else {
+					ret += " - ";
+				}
+				ret += resourceDef.getName();
+				resourceDefCount++;
 			}
-			for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getRowFilterPolicyItems()) {
-				defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
-				defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
+		}
+		return ret;
+	}
+
+	void createDefaultPolicy(RangerPolicy policy, XXService createdService, VXUser vXUser, List<RangerResourceDef> resourceHierarchy) throws Exception {
+
+		String policyName=buildPolicyName(resourceHierarchy);
+
+		policy.setIsEnabled(true);
+		policy.setVersion(1L);
+		policy.setName(StringUtils.trim(policyName));
+		policy.setService(createdService.getName());
+		policy.setDescription("Policy for " + policyName);
+		policy.setIsAuditEnabled(true);
+		policy.setPolicyType(policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType());
+
+		policy.setResources(createDefaultPolicyResource(resourceHierarchy));
+
+		if (vXUser != null) {
+			List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicyItem>();
+			List<XXAccessTypeDef> accessTypeDefs = daoMgr.getXXAccessTypeDef().findByServiceDefId(createdService.getType());
+			//Create Default policy item for the service user
+			RangerPolicyItem policyItem = createDefaultPolicyItem(createdService, vXUser, accessTypeDefs);
+			policyItems.add(policyItem);
+			// For KMS add default policies for HDFS & HIVE users.
+			XXServiceDef xServiceDef = daoMgr.getXXServiceDef().getById(createdService.getType());
+			if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) {
+				List<XXAccessTypeDef> hdfsAccessTypeDefs = new ArrayList<XXAccessTypeDef>();
+				List<XXAccessTypeDef> hiveAccessTypeDefs = new ArrayList<XXAccessTypeDef>();
+				for(XXAccessTypeDef accessTypeDef : accessTypeDefs) {
+					if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GET_METADATA)) {
+						hdfsAccessTypeDefs.add(accessTypeDef);
+						hiveAccessTypeDefs.add(accessTypeDef);
+					} else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GENERATE_EEK)) {
+						hdfsAccessTypeDefs.add(accessTypeDef);
+					} else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_DECRYPT_EEK)) {
+						hiveAccessTypeDefs.add(accessTypeDef);
+					}
+				}
+
+				String hdfsUser = PropertiesUtil.getProperty("ranger.kms.service.user.hdfs", "hdfs");
+				if (hdfsUser != null && !hdfsUser.isEmpty()) {
+					XXUser xxUser = daoMgr.getXXUser().findByUserName(hdfsUser);
+					if (xxUser != null) {
+						vXUser = xUserService.populateViewBean(xxUser);
+					} else {
+						vXUser = xUserMgr.createServiceConfigUser(hdfsUser);
+					}
+					if (vXUser != null) {
+						LOG.info("Creating default KMS policy item for " + hdfsUser);
+						policyItem = createDefaultPolicyItem(createdService, vXUser, hdfsAccessTypeDefs);
+						policyItems.add(policyItem);
+					}
+				}
+
+				String hiveUser = PropertiesUtil.getProperty("ranger.kms.service.user.hive", "hive");
+				if (hiveUser != null && !hiveUser.isEmpty()) {
+					XXUser xxUser = daoMgr.getXXUser().findByUserName(hiveUser);
+					if (xxUser != null) {
+						vXUser = xUserService.populateViewBean(xxUser);
+					} else {
+						vXUser = xUserMgr.createServiceConfigUser(hiveUser);
+					}
+					if (vXUser != null) {
+						LOG.info("Creating default KMS policy item for " + hiveUser);
+						policyItem = createDefaultPolicyItem(createdService, vXUser, hiveAccessTypeDefs);
+						policyItems.add(policyItem);
+					}
+				}
 			}
+			policy.setPolicyItems(policyItems);
 		}
-		for (String policyUser : defaultPolicyUsers) {
-			if (LOG.isDebugEnabled()) {
-				LOG.debug("Checking policyUser:[" + policyUser + "] for existence");
+	}
+
+	private RangerPolicyItem createDefaultPolicyItem(XXService createdService, VXUser vXUser, List<XXAccessTypeDef> accessTypeDefs) throws Exception {
+		String adminPrincipal = PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL);
+		String adminKeytab = PropertiesUtil.getProperty(ADMIN_USER_KEYTAB);
+		String authType = PropertiesUtil.getProperty(RANGER_AUTH_TYPE,"simple");
+		String lookupPrincipal = PropertiesUtil.getProperty(LOOKUP_PRINCIPAL);
+		String lookupKeytab = PropertiesUtil.getProperty(LOOKUP_KEYTAB);
+
+		RangerPolicyItem policyItem = new RangerPolicyItem();
+
+		List<String> users = new ArrayList<String>();
+		users.add(vXUser.getName());
+		VXUser vXLookupUser = getLookupUser(authType, lookupPrincipal, lookupKeytab);
+
+		XXService xService = daoMgr.getXXService().findByName(createdService.getName());
+		XXServiceDef xServiceDef = daoMgr.getXXServiceDef().getById(xService.getType());
+		if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)){
+			VXUser vXAdminUser = getLookupUser(authType, adminPrincipal, adminKeytab);
+			if(vXAdminUser != null){
+				users.add(vXAdminUser.getName());
+			}	
+		}else if(vXLookupUser != null){
+			users.add(vXLookupUser.getName());
+		}else{
+			// do nothing
+		}
+
+		if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.ATLAS_IMPL_CLASS_NAME)){
+			VXUser vXUserAdmin = chkAdminUserExists("admin");
+			if(vXUserAdmin != null){
+				users.add(vXUserAdmin.getName());
 			}
-			if (StringUtils.isNotBlank(policyUser) && !StringUtils.equals(policyUser, RangerPolicyEngine.USER_CURRENT)
-					&& !StringUtils.equals(policyUser, RangerPolicyEngine.RESOURCE_OWNER)) {
-				XXUser xxUser = daoMgr.getXXUser().findByUserName(policyUser);
-				if (xxUser == null) {
-					UserSessionBase usb = ContextUtil.getCurrentUserSession();
-					if (usb != null && !usb.isKeyAdmin() && !usb.isUserAdmin() && !usb.isSpnegoEnabled()) {
-						throw restErrorUtil.createRESTException("User does not exist with given username: ["
-								+ policyUser + "] please use existing user", MessageEnums.OPER_NO_PERMISSION);
+		}
+
+		RangerService rangerService = getServiceByName(createdService.getName());
+		if (rangerService != null){
+			Map<String, String> map = rangerService.getConfigs();
+			if (map != null && map.containsKey(AMBARI_SERVICE_CHECK_USER)){
+				String userNames = map.get(AMBARI_SERVICE_CHECK_USER);
+				String[] userList = userNames.split(",");
+				if(userList != null){
+					for (String userName : userList) {
+						if(!StringUtils.isEmpty(userName)){
+							XXUser xxUser = daoMgr.getXXUser().findByUserName(userName);
+							if (xxUser != null) {
+								vXUser = xUserService.populateViewBean(xxUser);
+							} else {
+								vXUser = xUserMgr.createServiceConfigUser(userName);
+								LOG.info("Creating Ambari Service Check User : "+vXUser.getName());
+							}
+							if(vXUser != null){
+								users.add(vXUser.getName());
+							}
+						}
 					}
-					xUserMgr.createServiceConfigUser(policyUser);
 				}
 			}
 		}
-		for (String policyGroup : defaultPolicyGroups) {
-			if (LOG.isDebugEnabled()) {
-				LOG.debug("Checking policyGroup:[" + policyGroup + "] for existence");
+		policyItem.setUsers(users);
+
+		List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
+		for(XXAccessTypeDef accessTypeDef : accessTypeDefs) {
+			RangerPolicyItemAccess access = new RangerPolicyItemAccess();
+			access.setType(accessTypeDef.getName());
+			access.setIsAllowed(true);
+			accesses.add(access);
+		}
+		policyItem.setAccesses(accesses);
+
+		policyItem.setDelegateAdmin(true);
+		return policyItem;
+	}
+
+	private VXUser chkAdminUserExists(String adminUser) {
+		VXUser vXUser = null;
+		if(!StringUtils.isEmpty(adminUser)){
+			XXUser xxUser = daoMgr.getXXUser().findByUserName(adminUser);
+			if (xxUser != null) {
+				vXUser = xUserService.populateViewBean(xxUser);
 			}
-			if (StringUtils.isNotBlank(policyGroup)) {
-				XXGroup xxGroup = daoMgr.getXXGroup().findByGroupName(policyGroup);
-				if (xxGroup == null) {
-					UserSessionBase usb = ContextUtil.getCurrentUserSession();
-					if (usb != null && !usb.isKeyAdmin() && !usb.isUserAdmin() && !usb.isSpnegoEnabled()) {
-						throw restErrorUtil.createRESTException("Group does not exist with given groupname: ["
-								+ policyGroup + "] please use existing group", MessageEnums.OPER_NO_PERMISSION);
+		}
+		return vXUser;
+	}
+
+	private VXUser getLookupUser(String authType, String lookupPrincipal, String lookupKeytab) {
+		VXUser vXUser = null;
+		if(!StringUtils.isEmpty(authType) && authType.equalsIgnoreCase(KERBEROS_TYPE)){
+			if(SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)){
+				KerberosName krbName = new KerberosName(lookupPrincipal);
+				String lookupUser=null;
+				try {
+					lookupUser = krbName.getShortName();
+				} catch (IOException e) {
+					throw restErrorUtil.createRESTException("Please provide proper value of lookup user principal : "+ lookupPrincipal, MessageEnums.INVALID_INPUT_DATA);
+				}
+				
+				if(LOG.isDebugEnabled()){
+					LOG.debug("Checking for Lookup User : "+lookupUser);
+				}
+				if(!StringUtils.isEmpty(lookupUser)){
+					XXUser xxUser = daoMgr.getXXUser().findByUserName(lookupUser);
+					if (xxUser != null) {
+						vXUser = xUserService.populateViewBean(xxUser);
+					} else {
+						vXUser = xUserMgr.createServiceConfigUser(lookupUser);
+						LOG.info("Creating Lookup User : "+vXUser.getName());
 					}
-					VXGroup vXGroup = new VXGroup();
-					vXGroup.setName(policyGroup);
-					vXGroup.setDescription(policyGroup);
-					vXGroup.setGroupSource(RangerCommonEnums.GROUP_INTERNAL);
-					vXGroup.setIsVisible(RangerCommonEnums.IS_VISIBLE);
-					xGroupService.createResource(vXGroup);
 				}
 			}
 		}
+		return vXUser;
 	}
 
-	List<String> getServiceCheckUsers(RangerService createdService) {
-		List<String> ret = new ArrayList<String>();
 
-		Map<String, String> serviceConfig = createdService.getConfigs();
+	Map<String, RangerPolicyResource> createDefaultPolicyResource(List<RangerResourceDef> resourceHierarchy) throws Exception {
+		Map<String, RangerPolicyResource> resourceMap = new HashMap<>();
 
-		if (serviceConfig.containsKey(AMBARI_SERVICE_CHECK_USER)) {
-			String userNames = serviceConfig.get(AMBARI_SERVICE_CHECK_USER);
-			String[] userList = userNames.split(",");
-			for (String userName : userList) {
-				if (!StringUtils.isEmpty(userName)) {
-					ret.add(userName);
-				}
+		for (RangerResourceDef resourceDef : resourceHierarchy) {
+			RangerPolicyResource polRes = new RangerPolicyResource();
+			polRes.setIsExcludes(false);
+			polRes.setIsRecursive(false);
+
+			String value = "*";
+			if("path".equalsIgnoreCase(resourceDef.getName())) {
+				value = "/*";
 			}
-		}
 
-		return ret;
+			if(resourceDef.getRecursiveSupported()) {
+				polRes.setIsRecursive(Boolean.TRUE);
+			}
+
+			polRes.setValue(value);
+			resourceMap.put(resourceDef.getName(), polRes);
+		}
+		return resourceMap;
 	}
 
 	private Map<String, String> validateRequiredConfigParams(RangerService service, Map<String, String> configs) {
@@ -2732,381 +2944,77 @@ public class ServiceDBStore extends AbstractServiceStore {
 		updatePolicyVersion(service, isTagVersionUpdateNeeded);
 	}
 
+	public enum VERSION_TYPE { POLICY_VERSION, TAG_VERSION, POLICY_AND_TAG_VERSION }
+
 	private void updatePolicyVersion(RangerService service, boolean isTagVersionUpdateNeeded) throws Exception {
 		if(service == null || service.getId() == null) {
 			return;
 		}
 
-		boolean filterForServicePlugin = RangerConfiguration.getInstance().getBoolean(RangerTagDBRetriever.OPTION_RANGER_FILTER_TAGS_FOR_SERVICE_PLUGIN, false);
-
 		XXServiceDao serviceDao = daoMgr.getXXService();
 
-		XXService serviceDbObj = serviceDao.getById(service.getId());
+		final XXService serviceDbObj = serviceDao.getById(service.getId());
 		if(serviceDbObj == null) {
 			LOG.warn("updatePolicyVersion(serviceId=" + service.getId() + "): service not found");
 
 			return;
 		}
 
-		XXServiceVersionInfoDao serviceVersionInfoDao = daoMgr.getXXServiceVersionInfo();
-
-		XXServiceVersionInfo serviceVersionInfoDbObj = serviceVersionInfoDao.findByServiceId(service.getId());
+		final RangerDaoManager daoManager  = daoMgr;
+		final Long 			   serviceId   = serviceDbObj.getId();
+		final VERSION_TYPE     versionType = VERSION_TYPE.POLICY_VERSION;
 
-		if(serviceVersionInfoDbObj != null) {
-			serviceVersionInfoDbObj.setPolicyVersion(getNextVersion(serviceVersionInfoDbObj.getPolicyVersion()));
-			serviceVersionInfoDbObj.setPolicyUpdateTime(new Date());
-
-			serviceVersionInfoDao.update(serviceVersionInfoDbObj);
-
-		} else {
-			LOG.warn("updatePolicyVersion(service=" + serviceDbObj.getName() + "): serviceVersionInfo not found, creating it..");
-
-			serviceVersionInfoDbObj = new XXServiceVersionInfo();
-			serviceVersionInfoDbObj.setServiceId(serviceDbObj.getId());
-			serviceVersionInfoDbObj.setPolicyVersion(getNextVersion(serviceDbObj.getPolicyVersion()));
-			serviceVersionInfoDbObj.setPolicyUpdateTime(new Date());
-			serviceVersionInfoDbObj.setTagVersion(serviceDbObj.getTagVersion());
-			serviceVersionInfoDbObj.setTagUpdateTime(serviceDbObj.getTagUpdateTime());
-
-			serviceVersionInfoDao.create(serviceVersionInfoDbObj);
-		}
+		Runnable serviceVersionUpdater = new ServiceVersionUpdater(daoManager, serviceId, versionType);
+		transactionSynchronizationAdapter.executeOnTransactionCommit(serviceVersionUpdater);
 
 		// if this is a tag service, update all services that refer to this tag service
 		// so that next policy-download from plugins will get updated tag policies
 		boolean isTagService = serviceDbObj.getType() == EmbeddedServiceDefsUtil.instance().getTagServiceDefId();
 		if(isTagService) {
-			List<XXService> referringServices = serviceDao.findByTagServiceId(serviceDbObj.getId());
+			List<XXService> referringServices = serviceDao.findByTagServiceId(serviceId);
 
 			if(CollectionUtils.isNotEmpty(referringServices)) {
 				for(XXService referringService : referringServices) {
-					serviceVersionInfoDbObj = serviceVersionInfoDao.findByServiceId(referringService.getId());
-					if (serviceVersionInfoDbObj != null) {
-
-						serviceVersionInfoDbObj.setPolicyVersion(getNextVersion(serviceVersionInfoDbObj.getPolicyVersion()));
-						serviceVersionInfoDbObj.setPolicyUpdateTime(new Date());
+					final Long 		    referringServiceId 	  = referringService.getId();
+					final VERSION_TYPE  tagServiceversionType = VERSION_TYPE.POLICY_VERSION;
 
-						if (filterForServicePlugin && isTagVersionUpdateNeeded) {
-							serviceVersionInfoDbObj.setTagVersion(getNextVersion(serviceVersionInfoDbObj.getTagVersion()));
-							serviceVersionInfoDbObj.setTagUpdateTime(new Date());
-						}
-						serviceVersionInfoDao.update(serviceVersionInfoDbObj);
-					} else {
-						LOG.warn("updatePolicyVersion(service=" + referringService.getName() + "): serviceVersionInfo not found, creating it..");
-						serviceVersionInfoDbObj = new XXServiceVersionInfo();
-						serviceVersionInfoDbObj.setServiceId(referringService.getId());
-						serviceVersionInfoDbObj.setPolicyVersion(getNextVersion(referringService.getPolicyVersion()));
-						serviceVersionInfoDbObj.setPolicyUpdateTime(new Date());
-						if (filterForServicePlugin && isTagVersionUpdateNeeded) {
-							serviceVersionInfoDbObj.setTagVersion(getNextVersion(referringService.getTagVersion()));
-							serviceVersionInfoDbObj.setTagUpdateTime(new Date());
-						} else {
-							serviceVersionInfoDbObj.setTagVersion(referringService.getTagVersion());
-							serviceVersionInfoDbObj.setTagUpdateTime(referringService.getTagUpdateTime());
-						}
-						serviceVersionInfoDao.create(serviceVersionInfoDbObj);
-					}
+					Runnable tagServiceVersionUpdater = new ServiceVersionUpdater(daoManager, referringServiceId, tagServiceversionType);
+					transactionSynchronizationAdapter.executeOnTransactionCommit(tagServiceVersionUpdater);
 				}
 			}
 		}
 	}
 
-	private XXPolicyItem createNewPolicyItemForPolicy(RangerPolicy policy, XXPolicy xPolicy, RangerPolicyItem policyItem, XXServiceDef xServiceDef, int itemOrder, int policyItemType) throws Exception {
-		XXPolicyItem xPolicyItem = new XXPolicyItem();
-
-		xPolicyItem = (XXPolicyItem) rangerAuditFields.populateAuditFields(xPolicyItem, xPolicy);
-
-		xPolicyItem.setDelegateAdmin(policyItem.getDelegateAdmin());
-		xPolicyItem.setItemType(policyItemType);
-		xPolicyItem.setIsEnabled(Boolean.TRUE);
-		xPolicyItem.setComments(null);
-		xPolicyItem.setPolicyId(policy.getId());
-		xPolicyItem.setOrder(itemOrder);
-		xPolicyItem = daoMgr.getXXPolicyItem().create(xPolicyItem);
-
-		List<RangerPolicyItemAccess> accesses = policyItem.getAccesses();
-		for (int i = 0; i < accesses.size(); i++) {
-			RangerPolicyItemAccess access = accesses.get(i);
-
-			XXAccessTypeDef xAccTypeDef = daoMgr.getXXAccessTypeDef()
-					.findByNameAndServiceId(access.getType(),
-							xPolicy.getService());
-			if (xAccTypeDef == null) {
-				throw new Exception(access.getType() + ": is not a valid access-type. policy='" + policy.getName() + "' service='" + policy.getService() + "'");
-			}
-
-			XXPolicyItemAccess xPolItemAcc = new XXPolicyItemAccess();
-
-			xPolItemAcc = (XXPolicyItemAccess) rangerAuditFields.populateAuditFields(xPolItemAcc, xPolicyItem);
-			xPolItemAcc.setIsAllowed(access.getIsAllowed());
-			xPolItemAcc.setType(xAccTypeDef.getId());
-			xPolItemAcc.setPolicyitemid(xPolicyItem.getId());
-			xPolItemAcc.setOrder(i);
-
-			daoMgr.getXXPolicyItemAccess().create(xPolItemAcc);
-		}
-
-		List<String> users = policyItem.getUsers();
-		for(int i = 0; i < users.size(); i++) {
-			String user = users.get(i);
-			if (StringUtils.isBlank(user)) {
-				continue;
-			}
-			XXUser xUser = daoMgr.getXXUser().findByUserName(user);
-			if(xUser == null) {
-				throw new Exception(user + ": user does not exist. policy='"+  policy.getName() + "' service='"+ policy.getService() + "' user='" + user +"'");
-			}
-			XXPolicyItemUserPerm xUserPerm = new XXPolicyItemUserPerm();
-			xUserPerm = (XXPolicyItemUserPerm) rangerAuditFields.populateAuditFields(xUserPerm, xPolicyItem);
-			xUserPerm.setUserId(xUser.getId());
-			xUserPerm.setPolicyItemId(xPolicyItem.getId());
-			xUserPerm.setOrder(i);
-			xUserPerm = daoMgr.getXXPolicyItemUserPerm().create(xUserPerm);
-		}
-
-		List<String> groups = policyItem.getGroups();
-		for(int i = 0; i < groups.size(); i++) {
-			String group = groups.get(i);
-			if (StringUtils.isBlank(group)) {
-				continue;
-			}
-			XXGroup xGrp = daoMgr.getXXGroup().findByGroupName(group);
-			if(xGrp == null) {
-				throw new Exception(group + ": group does not exist. policy='"+  policy.getName() + "' service='"+ policy.getService() + "' group='" + group + "'");
-			}
-			XXPolicyItemGroupPerm xGrpPerm = new XXPolicyItemGroupPerm();
-			xGrpPerm = (XXPolicyItemGroupPerm) rangerAuditFields.populateAuditFields(xGrpPerm, xPolicyItem);
-			xGrpPerm.setGroupId(xGrp.getId());
-			xGrpPerm.setPolicyItemId(xPolicyItem.getId());
-			xGrpPerm.setOrder(i);
-			xGrpPerm = daoMgr.getXXPolicyItemGroupPerm().create(xGrpPerm);
-		}
-
-		List<RangerPolicyItemCondition> conditions = policyItem.getConditions();
-		for(RangerPolicyItemCondition condition : conditions) {
-			XXPolicyConditionDef xPolCond = daoMgr
-					.getXXPolicyConditionDef().findByServiceDefIdAndName(
-							xServiceDef.getId(), condition.getType());
-
-			if(xPolCond == null) {
-				throw new Exception(condition.getType() + ": is not a valid condition-type. policy='"+  xPolicy.getName() + "' service='"+ xPolicy.getService() + "'");
-			}
-
-			for(int i = 0; i < condition.getValues().size(); i++) {
-				String value = condition.getValues().get(i);
-				XXPolicyItemCondition xPolItemCond = new XXPolicyItemCondition();
-				xPolItemCond = (XXPolicyItemCondition) rangerAuditFields.populateAuditFields(xPolItemCond, xPolicyItem);
-				xPolItemCond.setPolicyItemId(xPolicyItem.getId());
-				xPolItemCond.setType(xPolCond.getId());
-				xPolItemCond.setValue(value);
-				xPolItemCond.setOrder(i);
-
-				daoMgr.getXXPolicyItemCondition().create(xPolItemCond);
-			}
-		}
-
-		return xPolicyItem;
-	}
-
-	private void createNewPolicyItemsForPolicy(RangerPolicy policy, XXPolicy xPolicy, List<RangerPolicyItem> policyItems, XXServiceDef xServiceDef, int policyItemType) throws Exception {
-		if(CollectionUtils.isNotEmpty(policyItems)) {
-			for (int itemOrder = 0; itemOrder < policyItems.size(); itemOrder++) {
-				RangerPolicyItem policyItem = policyItems.get(itemOrder);
-				createNewPolicyItemForPolicy(policy, xPolicy, policyItem, xServiceDef, itemOrder, policyItemType);
-			}
-		}
-	}
-
-	private void createNewDataMaskPolicyItemsForPolicy(RangerPolicy policy, XXPolicy xPolicy, List<RangerDataMaskPolicyItem> policyItems, XXServiceDef xServiceDef, int policyItemType) throws Exception {
-		if(CollectionUtils.isNotEmpty(policyItems)) {
-			for (int itemOrder = 0; itemOrder < policyItems.size(); itemOrder++) {
-				RangerDataMaskPolicyItem policyItem = policyItems.get(itemOrder);
-
-				XXPolicyItem xPolicyItem = createNewPolicyItemForPolicy(policy, xPolicy, policyItem, xServiceDef, itemOrder, policyItemType);
-
-				RangerPolicyItemDataMaskInfo dataMaskInfo = policyItem.getDataMaskInfo();
-
-				if(dataMaskInfo != null) {
-					XXDataMaskTypeDef dataMaskDef = daoMgr.getXXDataMaskTypeDef().findByNameAndServiceId(dataMaskInfo.getDataMaskType(), xPolicy.getService());
-
-					if(dataMaskDef == null) {
-						throw new Exception(dataMaskInfo.getDataMaskType() + ": is not a valid datamask-type. policy='" + policy.getName() + "' service='" + policy.getService() + "'");
-					}
-
-					XXPolicyItemDataMaskInfo xxDataMaskInfo = new XXPolicyItemDataMaskInfo();
-
-					xxDataMaskInfo.setPolicyItemId(xPolicyItem.getId());
-					xxDataMaskInfo.setType(dataMaskDef.getId());
-					xxDataMaskInfo.setConditionExpr(dataMaskInfo.getConditionExpr());
-					xxDataMaskInfo.setValueExpr(dataMaskInfo.getValueExpr());
-
-					daoMgr.getXXPolicyItemDataMaskInfo().create(xxDataMaskInfo);
-				}
-			}
-		}
-	}
-
-	private void createNewRowFilterPolicyItemsForPolicy(RangerPolicy policy, XXPolicy xPolicy, List<RangerRowFilterPolicyItem> policyItems, XXServiceDef xServiceDef, int policyItemType) throws Exception {
-		if(CollectionUtils.isNotEmpty(policyItems)) {
-			for (int itemOrder = 0; itemOrder < policyItems.size(); itemOrder++) {
-				RangerRowFilterPolicyItem policyItem = policyItems.get(itemOrder);
-
-				XXPolicyItem xPolicyItem = createNewPolicyItemForPolicy(policy, xPolicy, policyItem, xServiceDef, itemOrder, policyItemType);
-
-				RangerPolicyItemRowFilterInfo dataMaskInfo = policyItem.getRowFilterInfo();
-
-				if(dataMaskInfo != null) {
-					XXPolicyItemRowFilterInfo xxRowFilterInfo = new XXPolicyItemRowFilterInfo();
-
-					xxRowFilterInfo.setPolicyItemId(xPolicyItem.getId());
-					xxRowFilterInfo.setFilterExpr(dataMaskInfo.getFilterExpr());
-
-					xxRowFilterInfo = daoMgr.getXXPolicyItemRowFilterInfo().create(xxRowFilterInfo);
-				}
-			}
-		}
-	}
+	public static void persistVersionChange(RangerDaoManager daoMgr, Long id, VERSION_TYPE versionType) {
+		XXServiceVersionInfoDao serviceVersionInfoDao = daoMgr.getXXServiceVersionInfo();
 
-	private void createNewResourcesForPolicy(RangerPolicy policy, XXPolicy xPolicy, Map<String, RangerPolicyResource> resources) throws Exception {
-		
-		for (Entry<String, RangerPolicyResource> resource : resources.entrySet()) {
-			RangerPolicyResource policyRes = resource.getValue();
-
-			XXResourceDef xResDef = daoMgr.getXXResourceDef()
-					.findByNameAndPolicyId(resource.getKey(), policy.getId());
-			if (xResDef == null) {
-				throw new Exception(resource.getKey() + ": is not a valid resource-type. policy='"+  policy.getName() + "' service='"+ policy.getService() + "'");
-			}
-
-			XXPolicyResource xPolRes = new XXPolicyResource();
-			xPolRes = (XXPolicyResource) rangerAuditFields.populateAuditFields(xPolRes, xPolicy);
-
-			xPolRes.setIsExcludes(policyRes.getIsExcludes());
-			xPolRes.setIsRecursive(policyRes.getIsRecursive());
-			xPolRes.setPolicyId(policy.getId());
-			xPolRes.setResDefId(xResDef.getId());
-			xPolRes = daoMgr.getXXPolicyResource().create(xPolRes);
-
-			List<String> values = policyRes.getValues();
-			if (CollectionUtils.isNotEmpty(values)) {
-				Set<String> uniqueValues = new LinkedHashSet<String>(values);
-				int i = 0;
-				if (CollectionUtils.isNotEmpty(uniqueValues)) {
-					for (String uniqValue : uniqueValues) {
-						if (!StringUtils.isEmpty(uniqValue)) {
-							XXPolicyResourceMap xPolResMap = new XXPolicyResourceMap();
-							xPolResMap = (XXPolicyResourceMap) rangerAuditFields.populateAuditFields(xPolResMap,xPolRes);
-							xPolResMap.setResourceId(xPolRes.getId());
-							xPolResMap.setValue(uniqValue);
-							xPolResMap.setOrder(i);
-							xPolResMap = daoMgr.getXXPolicyResourceMap().create(xPolResMap);
-							i++;
-						}
-					}
-				}
-			}
-		}
-	}
+		XXServiceVersionInfo serviceVersionInfoDbObj = serviceVersionInfoDao.findByServiceId(id);
 
-	private Boolean deleteExistingPolicyItems(RangerPolicy policy) {
-		if(policy == null) {
-			return false;
-		}
-		
-		XXPolicyItemDao policyItemDao = daoMgr.getXXPolicyItem();
-		List<XXPolicyItem> policyItems = policyItemDao.findByPolicyId(policy.getId());
-		for(XXPolicyItem policyItem : policyItems) {
-			Long polItemId = policyItem.getId();
-			
-			XXPolicyItemConditionDao polCondDao = daoMgr.getXXPolicyItemCondition();
-			List<XXPolicyItemCondition> conditions = polCondDao.findByPolicyItemId(polItemId);
-			for(XXPolicyItemCondition condition : conditions) {
-				polCondDao.remove(condition);
-			}
-			
-			XXPolicyItemGroupPermDao grpPermDao = daoMgr.getXXPolicyItemGroupPerm();
-			List<XXPolicyItemGroupPerm> groups = grpPermDao.findByPolicyItemId(polItemId);
-			for(XXPolicyItemGroupPerm group : groups) {
-				grpPermDao.remove(group);
-			}
-			
-			XXPolicyItemUserPermDao userPermDao = daoMgr.getXXPolicyItemUserPerm();
-			List<XXPolicyItemUserPerm> users = userPermDao.findByPolicyItemId(polItemId);
-			for(XXPolicyItemUserPerm user : users) {
-				userPermDao.remove(user);
+		if(serviceVersionInfoDbObj != null) {
+			if (versionType == VERSION_TYPE.POLICY_VERSION || versionType == VERSION_TYPE.POLICY_AND_TAG_VERSION) {
+				serviceVersionInfoDbObj.setPolicyVersion(getNextVersion(serviceVersionInfoDbObj.getPolicyVersion()));
+				serviceVersionInfoDbObj.setPolicyUpdateTime(new Date());
 			}
-			
-			XXPolicyItemAccessDao polItemAccDao = daoMgr.getXXPolicyItemAccess();
-			List<XXPolicyItemAccess> accesses = polItemAccDao.findByPolicyItemId(polItemId);
-			for(XXPolicyItemAccess access : accesses) {
-				polItemAccDao.remove(access);
+			if (versionType == VERSION_TYPE.TAG_VERSION || versionType == VERSION_TYPE.POLICY_AND_TAG_VERSION) {
+				serviceVersionInfoDbObj.setTagVersion(getNextVersion(serviceVersionInfoDbObj.getTagVersion()));
+				serviceVersionInfoDbObj.setTagUpdateTime(new Date());
 			}
 
-			XXPolicyItemDataMaskInfoDao polItemDataMaskInfoDao = daoMgr.getXXPolicyItemDataMaskInfo();
-			List<XXPolicyItemDataMaskInfo> dataMaskInfos = polItemDataMaskInfoDao.findByPolicyItemId(polItemId);
-			for(XXPolicyItemDataMaskInfo dataMaskInfo : dataMaskInfos) {
-				polItemDataMaskInfoDao.remove(dataMaskInfo);
-			}
-
-			XXPolicyItemRowFilterInfoDao polItemRowFilterInfoDao = daoMgr.getXXPolicyItemRowFilterInfo();
-			List<XXPolicyItemRowFilterInfo> rowFilterInfos = polItemRowFilterInfoDao.findByPolicyItemId(polItemId);
-			for(XXPolicyItemRowFilterInfo rowFilterInfo : rowFilterInfos) {
-				polItemRowFilterInfoDao.remove(rowFilterInfo);
-			}
+			serviceVersionInfoDao.update(serviceVersionInfoDbObj);
 
-			policyItemDao.remove(policyItem);
-		}
-		return true;
-	}
+		} else {
+			XXService service = daoMgr.getXXService().getById(id);
+			if (service != null) {
+				serviceVersionInfoDbObj = new XXServiceVersionInfo();
+				serviceVersionInfoDbObj.setServiceId(service.getId());
+				serviceVersionInfoDbObj.setPolicyVersion(1L);
+				serviceVersionInfoDbObj.setPolicyUpdateTime(new Date());
+				serviceVersionInfoDbObj.setTagVersion(1L);
+				serviceVersionInfoDbObj.setTagUpdateTime(new Date());
 
-	private Boolean deleteExistingPolicyResources(RangerPolicy policy) {
-		if(policy == null) {
-			return false;
-		}
-		
-		List<XXPolicyResource> resources = daoMgr.getXXPolicyResource().findByPolicyId(policy.getId());
-		
-		XXPolicyResourceDao resDao = daoMgr.getXXPolicyResource();
-		for(XXPolicyResource resource : resources) {
-			List<XXPolicyResourceMap> resMapList = daoMgr.getXXPolicyResourceMap().findByPolicyResId(resource.getId());
-			
-			XXPolicyResourceMapDao resMapDao = daoMgr.getXXPolicyResourceMap();
-			for(XXPolicyResourceMap resMap : resMapList) {
-				resMapDao.remove(resMap);
+				serviceVersionInfoDao.create(serviceVersionInfoDbObj);
 			}
-			resDao.remove(resource);
 		}
-		return true;
-	}
-
-	private Boolean deleteExistingPolicyItemsNative(RangerPolicy policy) {
-		if(policy == null) {
-			return false;
-		}
-		XXPolicyItemDao policyItemDao = daoMgr.getXXPolicyItem();
-		List<XXPolicyItem> policyItems = policyItemDao.findByPolicyId(policy.getId());
-		for(XXPolicyItem policyItem : policyItems) {
-			Long polItemId = policyItem.getId();
-			daoMgr.getXXPolicyItemRowFilterInfo().deletePolicyIDReference("policy_item_id", polItemId);
-			daoMgr.getXXPolicyItemDataMaskInfo().deletePolicyIDReference("policy_item_id", polItemId);
-			daoMgr.getXXPolicyItemGroupPerm().deletePolicyIDReference("policy_item_id", polItemId);
-			daoMgr.getXXPolicyItemUserPerm().deletePolicyIDReference("policy_item_id", polItemId);
-			daoMgr.getXXPolicyItemCondition().deletePolicyIDReference("policy_item_id", polItemId);
-			daoMgr.getXXPolicyItemAccess().deletePolicyIDReference("policy_item_id", polItemId);
-		}
-		daoMgr.getXXPolicyItem().deletePolicyIDReference("policy_id", policy.getId());
-		return true;
-	}
-
-	private Boolean deleteExistingPolicyResourcesNative(RangerPolicy policy) {
-		if(policy == null) {
-			return false;
-		}
-		List<XXPolicyResource> resources = daoMgr.getXXPolicyResource().findByPolicyId(policy.getId());
-		for(XXPolicyResource resource : resources) {
-			daoMgr.getXXPolicyResourceMap().deletePolicyIDReference("resource_id", resource.getId());
-			daoMgr.getXXPolicyResource().deletePolicyIDReference("id", resource.getId());
-		}
-		return true;
 	}
 
 	@Override
@@ -3177,55 +3085,34 @@ public class ServiceDBStore extends AbstractServiceStore {
 			return;
 		}
 
+		final RangerDaoManager daoManager = daoMgr;
+
 		boolean isTagServiceDef = StringUtils.equals(serviceDef.getName(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME);
 
 		XXServiceDao serviceDao = daoMgr.getXXService();
-		XXServiceVersionInfoDao serviceVersionInfoDao = daoMgr.getXXServiceVersionInfo();
 
 		List<XXService> services = serviceDao.findByServiceDefId(serviceDef.getId());
 
 		if(CollectionUtils.isNotEmpty(services)) {
 			for(XXService service : services) {
-				XXServiceVersionInfo serviceVersionInfo = serviceVersionInfoDao.findByServiceId(service.getId());
-				if (serviceVersionInfo != null) {
-					serviceVersionInfo.setPolicyVersion(getNextVersion(serviceVersionInfo.getPolicyVersion()));
-					serviceVersionInfo.setPolicyUpdateTime(serviceDef.getUpdateTime());
 
-					serviceVersionInfoDao.update(serviceVersionInfo);
-				} else {
-					LOG.warn("updateServicesForServiceDefUpdate(service=" + service.getName() + "): serviceVersionInfo not found, creating it..");
-					serviceVersionInfo = new XXServiceVersionInfo();
-					serviceVersionInfo.setServiceId(service.getId());
-					serviceVersionInfo.setPolicyVersion(getNextVersion(service.getPolicyVersion()));
-					serviceVersionInfo.setTagVersion(service.getTagVersion());
-					serviceVersionInfo.setPolicyUpdateTime(new Date());
-					serviceVersionInfo.setTagUpdateTime(service.getTagUpdateTime());
+				final Long 		    serviceId 	= service.getId();
+				final VERSION_TYPE  versionType = VERSION_TYPE.POLICY_VERSION;
 
-					serviceVersionInfoDao.create(serviceVersionInfo);
-				}
+				Runnable serviceVersionUpdater = new ServiceVersionUpdater(daoManager, serviceId, versionType);
+				transactionSynchronizationAdapter.executeOnTransactionCommit(serviceVersionUpdater);
 
 				if(isTagServiceDef) {
-					List<XXService> referrringServices = serviceDao.findByTagServiceId(service.getId());
+					List<XXService> referringServices = serviceDao.findByTagServiceId(service.getId());
 
-					if(CollectionUtils.isNotEmpty(referrringServices)) {
-						for(XXService referringService : referrringServices) {
-							serviceVersionInfo = serviceVersionInfoDao.findByServiceId(referringService.getId());
-							if (serviceVersionInfo != null) {
-								serviceVersionInfo.setPolicyVersion(getNextVersion(serviceVersionInfo.getPolicyVersion()));
-								serviceVersionInfo.setPolicyUpdateTime(serviceDef.getUpdateTime());
+					if(CollectionUtils.isNotEmpty(referringServices)) {
+						for(XXService referringService : referringServices) {
 
-								serviceVersionInfoDao.update(serviceVersionInfo);
-							} else {
-								LOG.warn("updateServicesForServiceDefUpdate(service=" + referringService.getName() + "): serviceVersionInfo not found, creating it..");
-								serviceVersionInfo = new XXServiceVersionInfo();
-								serviceVersionInfo.setServiceId(referringService.getId());
-								serviceVersionInfo.setPolicyVersion(getNextVersion(referringService.getPolicyVersion()));
-								serviceVersionInfo.setTagVersion(referringService.getTagVersion());
-								serviceVersionInfo.setPolicyUpdateTime(new Date());
-								serviceVersionInfo.setTagUpdateTime(referringService.getTagUpdateTime());
-
-								serviceVersionInfoDao.create(serviceVersionInfo);
-							}
+							final Long 		    referringServiceId    = referringService.getId();
+							final VERSION_TYPE  tagServiceVersionType = VERSION_TYPE.POLICY_VERSION;
+
+							Runnable tagServiceVersionUpdater = new ServiceVersionUpdater(daoManager, referringServiceId, tagServiceVersionType);
+							transactionSynchronizationAdapter.executeOnTransactionCommit(tagServiceVersionUpdater);
 						}
 					}
 				}
@@ -3711,10 +3598,6 @@ public class ServiceDBStore extends AbstractServiceStore {
 
 	private void writeBookForPolicyItems(RangerPolicy policy, RangerPolicyItem policyItem,
 			RangerDataMaskPolicyItem dataMaskPolicyItem, RangerRowFilterPolicyItem rowFilterPolicyItem, Row row, String policyConditonType) {
-		if (LOG.isDebugEnabled()) {
-			// To avoid PMD violation
-			LOG.debug("policyConditonType:[" + policyConditonType + "]");
-		}
 		List<String> groups = new ArrayList<String>();
 		List<String> users = new ArrayList<String>();
 		String groupNames = "";
@@ -3995,18 +3878,34 @@ public class ServiceDBStore extends AbstractServiceStore {
 		xUserService.createXUserWithOutLogin(genericUser);
 	}
 
-    public boolean isServiceAdminUser(String serviceName, String userName) {
-        boolean ret=false;
-        XXServiceConfigMap cfgSvcAdminUsers = daoMgr.getXXServiceConfigMap().findByServiceNameAndConfigKey(serviceName, SERVICE_ADMIN_USERS);
-        String svcAdminUsers = cfgSvcAdminUsers != null ? cfgSvcAdminUsers.getConfigvalue() : null;
-        if (svcAdminUsers != null) {
-            for (String svcAdminUser : svcAdminUsers.split(",")) {
-                if (userName.equals(svcAdminUser)) {
-                    ret=true;
-                    break;
-                }
-            }
-        }
-        return ret;
-    }
+	public boolean isServiceAdminUser(String serviceName, String userName) {
+		boolean ret=false;
+		XXServiceConfigMap cfgSvcAdminUsers = daoMgr.getXXServiceConfigMap().findByServiceNameAndConfigKey(serviceName, SERVICE_ADMIN_USERS);
+		String svcAdminUsers = cfgSvcAdminUsers != null ? cfgSvcAdminUsers.getConfigvalue() : null;
+		if (svcAdminUsers != null) {
+			for (String svcAdminUser : svcAdminUsers.split(",")) {
+				if (userName.equals(svcAdminUser)) {
+					ret=true;
+					break;
+				}
+			}
+		}
+		return ret;
+	}
+
+	public static class ServiceVersionUpdater implements Runnable {
+		final Long 			   serviceId;
+		final RangerDaoManager daoManager;
+		final VERSION_TYPE     versionType;
+
+		public ServiceVersionUpdater(RangerDaoManager daoManager, Long serviceId, VERSION_TYPE versionType ) {
+			this.serviceId   = serviceId;
+			this.daoManager  = daoManager;
+			this.versionType = versionType;
+		}
+		@Override
+		public void run() {
+			ServiceDBStore.persistVersionChange(this.daoManager, this.serviceId, this.versionType);
+		}
+	}
 }


Mime
View raw message