diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java index 858c3f5423..704434b8e6 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java @@ -21,7 +21,6 @@ import java.util.ArrayList; import java.util.Arrays; -import java.util.Collection; import java.util.Collections; import java.util.HashMap; import java.util.List; @@ -66,15 +65,8 @@ public class PolicyEngine { private boolean useForwardedIPAddress; private String[] trustedProxyAddresses; private final Map tokenReplacers = new HashMap<>(); - private final RangerReadWriteLock lock; - static private Map>> impliedAccessGrants = null; - - static public Map> getImpliedAccessGrants(RangerServiceDef serviceDef) { - return impliedAccessGrants == null ? null : impliedAccessGrants.get(serviceDef.getName()); - } - public RangerReadWriteLock.RangerLock getReadLock() { return lock.getReadLock(); @@ -204,7 +196,7 @@ public PolicyEngine(ServicePolicies servicePolicies, RangerPluginContext pluginC PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (totalMemory - freeMemory) + ", Free memory:" + freeMemory); } - buildImpliedAccessGrants(servicePolicies); + normalizeServiceDefs(servicePolicies); this.pluginContext = pluginContext; this.lock = new RangerReadWriteLock(isUseReadWriteLock); @@ -482,32 +474,20 @@ public void preCleanup(boolean isForced) { } } - synchronized static private void buildImpliedAccessGrants(ServicePolicies servicePolicies) { + private void normalizeServiceDefs(ServicePolicies servicePolicies) { RangerServiceDef serviceDef = servicePolicies.getServiceDef(); if (serviceDef != null) { - buildImpliedAccessGrants(ServiceDefUtil.normalize(serviceDef)); + ServiceDefUtil.normalize(serviceDef); RangerServiceDef tagServiceDef = servicePolicies.getTagPolicies() != null ? servicePolicies.getTagPolicies().getServiceDef() : null; if (tagServiceDef != null) { - buildImpliedAccessGrants(ServiceDefUtil.normalizeAccessTypeDefs(ServiceDefUtil.normalize(tagServiceDef), serviceDef.getName())); + ServiceDefUtil.normalizeAccessTypeDefs(ServiceDefUtil.normalize(tagServiceDef), serviceDef.getName()); } } } - static private void buildImpliedAccessGrants(RangerServiceDef serviceDef) { - if (serviceDef != null) { - RangerServiceDefHelper helper = new RangerServiceDefHelper(serviceDef, false); - - if (impliedAccessGrants == null) { - impliedAccessGrants = Collections.synchronizedMap(new HashMap<>()); - } - - impliedAccessGrants.put(serviceDef.getName(), helper.getImpliedAccessGrants()); - } - } - private PolicyEngine(final PolicyEngine other, ServicePolicies servicePolicies) { this.useForwardedIPAddress = other.useForwardedIPAddress; this.trustedProxyAddresses = other.trustedProxyAddresses; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java index a3e3806ec1..2190ad2812 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java @@ -29,7 +29,6 @@ import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.policyengine.PolicyEngine; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; @@ -118,7 +117,7 @@ protected RangerPolicyItem computeWithImpliedGrants() { ret = policyItem; } else { // Compute implied-accesses - Map> impliedAccessGrants = PolicyEngine.getImpliedAccessGrants(serviceDef); + Map> impliedAccessGrants = options.getServiceDefHelper().getImpliedAccessGrants(); if (impliedAccessGrants != null && !impliedAccessGrants.isEmpty()) { ret = new RangerPolicyItem(policyItem); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java index 9051a8ce44..96610e2eb2 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java @@ -100,10 +100,10 @@ public void evaluate(RangerAccessRequest request, RangerAccessResult result) { } @Override - protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef) { - super.preprocessPolicy(policy, serviceDef); + protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) { + super.preprocessPolicy(policy, serviceDef, options); - Map> impliedAccessGrants = PolicyEngine.getImpliedAccessGrants(serviceDef); + Map> impliedAccessGrants = options.getServiceDefHelper().getImpliedAccessGrants(); if (impliedAccessGrants == null || impliedAccessGrants.isEmpty()) { return; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index bc627adf53..7fe2a2eb3c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -42,7 +42,6 @@ import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef; import org.apache.ranger.plugin.model.RangerValiditySchedule; -import org.apache.ranger.plugin.policyengine.PolicyEngine; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessRequestWrapper; import org.apache.ranger.plugin.policyengine.RangerAccessResource; @@ -128,7 +127,7 @@ public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyE policy = getPolicy(); - preprocessPolicy(policy, serviceDef); + preprocessPolicy(policy, serviceDef, options); if(policy != null) { validityScheduleEvaluators = createValidityScheduleEvaluators(policy); @@ -136,7 +135,7 @@ public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyE this.disableRoleResolution = options.disableRoleResolution; if (!options.disableAccessEvaluationWithPolicyACLSummary) { - aclSummary = createPolicyACLSummary(); + aclSummary = createPolicyACLSummary(options.getServiceDefHelper().getImpliedAccessGrants()); } useAclSummaryForEvaluation = aclSummary != null; @@ -549,7 +548,7 @@ public void getResourceAccessInfo(RangerAccessRequest request, RangerResourceAcc public PolicyACLSummary getPolicyACLSummary() { if (aclSummary == null) { boolean forceCreation = true; - aclSummary = createPolicyACLSummary(forceCreation); + aclSummary = createPolicyACLSummary(ServiceDefUtil.getExpandedImpliedGrants(getServiceDef()), forceCreation); } return aclSummary; @@ -590,12 +589,12 @@ PolicyACLSummary for access evaluation (that is, if disableAccessEvaluationWithP is set to false). It may return null object if all accesses for all user/groups cannot be determined statically. */ - private PolicyACLSummary createPolicyACLSummary() { + private PolicyACLSummary createPolicyACLSummary(Map> impliedAccessGrants) { boolean forceCreation = false; - return createPolicyACLSummary(forceCreation); + return createPolicyACLSummary(impliedAccessGrants, forceCreation); } - private PolicyACLSummary createPolicyACLSummary(boolean isCreationForced) { + private PolicyACLSummary createPolicyACLSummary(Map> impliedAccessGrants, boolean isCreationForced) { PolicyACLSummary ret = null; RangerPerfTracer perf = null; @@ -625,8 +624,6 @@ private PolicyACLSummary createPolicyACLSummary(boolean isCreationForced) { if (isUsableForEvaluation || isCreationForced) { ret = new PolicyACLSummary(); - Map> impliedAccessGrants = PolicyEngine.getImpliedAccessGrants(getServiceDef()); - for (RangerPolicyItem policyItem : policy.getDenyPolicyItems()) { ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY, hasNonPublicGroupOrConditionsInDenyExceptions || hasPublicGroupInDenyAndUsersInDenyExceptions, impliedAccessGrants); @@ -1166,13 +1163,13 @@ public StringBuilder toString(StringBuilder sb) { return sb; } - protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef) { + protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) { if(policy == null || (!hasAllow() && !hasDeny()) || serviceDef == null) { return; } /* - Map> impliedAccessGrants = getImpliedAccessGrants(serviceDef); + Map> impliedAccessGrants = options.getServiceDefHelper().getImpliedAccessGrants(); if(impliedAccessGrants == null || impliedAccessGrants.isEmpty()) { return;