Skip to content

Commit

Permalink
RANGER-4485: refactored condition instantiation
Browse files Browse the repository at this point in the history
  • Loading branch information
@mneethiraj
mneethiraj committed Oct 24, 2023
1 parent 36ce62e commit 105f6f5
Show file tree
Hide file tree
Showing 7 changed files with 140 additions and 195 deletions.
182 changes: 77 additions & 105 deletions ...rc/main/java/org/apache/ranger/plugin/policyevaluator/RangerCustomConditionEvaluator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,176 +20,144 @@
package org.apache.ranger.plugin.policyevaluator;

import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition;
import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.ServiceDefUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.util.ArrayList;
import java.util.Collections;
import java.util.List;


//
// this class should have been named RangerConditionEvaluatorFactory
//
public class RangerCustomConditionEvaluator {

private static final Logger LOG = LoggerFactory.getLogger(RangerCustomConditionEvaluator.class);
private static final Logger PERF_POLICY_INIT_LOG = RangerPerfTracer.getPerfLogger("policy.init");
private static final Logger PERF_POLICYITEM_INIT_LOG = RangerPerfTracer.getPerfLogger("policyitem.init");
private static final Logger LOG = LoggerFactory.getLogger(RangerCustomConditionEvaluator.class);
private static final Logger PERF_POLICY_INIT_LOG = RangerPerfTracer.getPerfLogger("policy.init");
private static final Logger PERF_POLICYITEM_INIT_LOG = RangerPerfTracer.getPerfLogger("policyitem.init");
private static final Logger PERF_POLICYCONDITION_INIT_LOG = RangerPerfTracer.getPerfLogger("policycondition.init");

public List<RangerConditionEvaluator> getRangerPolicyConditionEvaluator(RangerPolicy policy,
RangerServiceDef serviceDef,
RangerPolicyEngineOptions options) {
List<RangerConditionEvaluator> conditionEvaluators = new ArrayList<>();

if (!getConditionsDisabledOption(options) && CollectionUtils.isNotEmpty(policy.getConditions())) {

RangerPerfTracer perf = null;

long policyId = policy.getId();

if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_LOG, "RangerCustomConditionEvaluator.init(policyId=" + policyId + ")");
}

for (RangerPolicy.RangerPolicyItemCondition condition : policy.getConditions()) {
RangerServiceDef.RangerPolicyConditionDef conditionDef = getConditionDef(condition.getType(),serviceDef);

if (conditionDef == null) {
LOG.error("RangerCustomConditionEvaluator.getRangerPolicyConditionEvaluator(policyId=" + policyId + "): conditionDef '" + condition.getType() + "' not found. Ignoring the condition");

continue;
}

RangerConditionEvaluator conditionEvaluator = newConditionEvaluator(conditionDef.getEvaluator());

if (conditionEvaluator != null) {
conditionEvaluator.setServiceDef(serviceDef);
conditionEvaluator.setConditionDef(conditionDef);
conditionEvaluator.setPolicyItemCondition(condition);
public static RangerCustomConditionEvaluator getInstance() {
return RangerCustomConditionEvaluator.SingletonHolder.s_instance;
}

RangerPerfTracer perfConditionInit = null;
private RangerCustomConditionEvaluator() {
}

if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYCONDITION_INIT_LOG)) {
perfConditionInit = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_INIT_LOG, "RangerConditionEvaluator.init(policyId=" + policyId + "policyConditionType=" + condition.getType() + ")");
}
public List<RangerConditionEvaluator> getPolicyConditionEvaluators(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
RangerPerfTracer perf = null;
String parentId = "policyId=" + policy.getId() ;

conditionEvaluator.init();
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_LOG, "RangerPolicyEvaluator.getPolicyConditionEvaluators(" + parentId + ")");
}

RangerPerfTracer.log(perfConditionInit);
List<RangerConditionEvaluator> ret = getConditionEvaluators(parentId, policy.getConditions(), serviceDef, options);

conditionEvaluators.add(conditionEvaluator);
} else {
LOG.error("RangerCustomConditionEvaluator.getRangerPolicyConditionEvaluator(policyId=" + policyId + "): failed to init Policy ConditionEvaluator '" + condition.getType() + "'; evaluatorClassName='" + conditionDef.getEvaluator() + "'");
}
}
RangerPerfTracer.log(perf);

RangerPerfTracer.log(perf);
}
return conditionEvaluators;
return ret;
}

public List<RangerConditionEvaluator> getPolicyItemConditionEvaluators(RangerPolicy policy, RangerPolicyItem policyItem, RangerServiceDef serviceDef, RangerPolicyEngineOptions options, int policyItemIndex) {
RangerPerfTracer perf = null;
String parentId = "policyId=" + policy.getId() + ", policyItemIndex=" + policyItemIndex;

public List<RangerConditionEvaluator> getPolicyItemConditionEvaluator(RangerPolicy policy,
RangerPolicyItem policyItem,
RangerServiceDef serviceDef,
RangerPolicyEngineOptions options,
int policyItemIndex) {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYITEM_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYITEM_INIT_LOG, "RangerPolicyItemEvaluator.getPolicyItemConditionEvaluators(" + parentId + ")");
}

List<RangerConditionEvaluator> conditionEvaluators = new ArrayList<>();
List<RangerConditionEvaluator> ret = getConditionEvaluators(parentId, policyItem.getConditions(), serviceDef, options);

if (!getConditionsDisabledOption(options) && CollectionUtils.isNotEmpty(policyItem.getConditions())) {
RangerPerfTracer.log(perf);

RangerPerfTracer perf = null;
return ret;
}

Long policyId = policy.getId();
public List<RangerConditionEvaluator> getConditionEvaluators(String parentId, List<RangerPolicyItemCondition> conditions, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
final List<RangerConditionEvaluator> ret;

if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYITEM_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYITEM_INIT_LOG, "RangerPolicyItemEvaluator.getRangerPolicyConditionEvaluator(policyId=" + policyId + ",policyItemIndex=" + policyItemIndex + ")");
}
if (!getConditionsDisabledOption(options) && CollectionUtils.isNotEmpty(conditions)) {
ret = new ArrayList<>(conditions.size());

for (RangerPolicyItemCondition condition : policyItem.getConditions()) {
RangerServiceDef.RangerPolicyConditionDef conditionDef = getConditionDef(condition.getType(), serviceDef);
for (RangerPolicyItemCondition condition : conditions) {
RangerPolicyConditionDef conditionDef = ServiceDefUtil.getConditionDef(serviceDef, condition.getType());

if (conditionDef == null) {
LOG.error("RangerCustomConditionEvaluator.getPolicyItemConditionEvaluator(policyId=" + policyId + "): conditionDef '" + condition.getType() + "' not found. Ignoring the condition");
LOG.error("RangerCustomConditionEvaluator.getConditionEvaluators(" + parentId + "): conditionDef '" + condition.getType() + "' not found. Ignoring the condition");

continue;
}

RangerConditionEvaluator conditionEvaluator = newConditionEvaluator(conditionDef.getEvaluator());
RangerConditionEvaluator conditionEvaluator = getConditionEvaluator(parentId, condition, conditionDef, serviceDef, options);

if (conditionEvaluator != null) {
conditionEvaluator.setServiceDef(serviceDef);
conditionEvaluator.setConditionDef(conditionDef);
conditionEvaluator.setPolicyItemCondition(condition);

RangerPerfTracer perfConditionInit = null;

if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYCONDITION_INIT_LOG)) {
perfConditionInit = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_INIT_LOG, "RangerConditionEvaluator.init(policyId=" + policyId + ",policyItemIndex=" + policyItemIndex + ",policyConditionType=" + condition.getType() + ")");
}

conditionEvaluator.init();

RangerPerfTracer.log(perfConditionInit);

conditionEvaluators.add(conditionEvaluator);
} else {
LOG.error("RangerCustomConditionEvaluator.getPolicyItemConditionEvaluator(policyId=" + policyId + "): failed to init PolicyItem ConditionEvaluator '" + condition.getType() + "'; evaluatorClassName='" + conditionDef.getEvaluator() + "'");
ret.add(conditionEvaluator);
}
}
RangerPerfTracer.log(perf);
} else {
ret = Collections.emptyList();
}
return conditionEvaluators;

return ret;
}

private RangerServiceDef.RangerPolicyConditionDef getConditionDef(String conditionName, RangerServiceDef serviceDef) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerCustomConditionEvaluator.getConditionDef(" + conditionName + ")");
}
public RangerConditionEvaluator getConditionEvaluator(String parentId, RangerPolicyItemCondition condition, RangerPolicyConditionDef conditionDef, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
final RangerConditionEvaluator ret;

if (condition != null && conditionDef != null && !getConditionsDisabledOption(options)) {
ret = newConditionEvaluator(conditionDef.getEvaluator());

RangerServiceDef.RangerPolicyConditionDef ret = null;
if (ret != null) {
ret.setServiceDef(serviceDef);
ret.setConditionDef(conditionDef);
ret.setPolicyItemCondition(condition);

if (serviceDef != null && CollectionUtils.isNotEmpty(serviceDef.getPolicyConditions())) {
for(RangerServiceDef.RangerPolicyConditionDef conditionDef : serviceDef.getPolicyConditions()) {
if(StringUtils.equals(conditionName, conditionDef.getName())) {
ret = conditionDef;
break;
RangerPerfTracer perf = null;

if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYCONDITION_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_INIT_LOG, "RangerConditionEvaluator.init(" + parentId + ", policyConditionType=" + condition.getType() + ")");
}
}
}

if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerCustomConditionEvaluator.getConditionDef(" + conditionName + "): " + ret);
ret.init();

RangerPerfTracer.log(perf);
} else {
LOG.error("RangerCustomConditionEvaluator.getConditionEvaluator(" + parentId + "): failed to init ConditionEvaluator '" + condition.getType() + "'; evaluatorClassName='" + conditionDef.getEvaluator() + "'");
}
} else {
ret = null;
}

return ret;
}


private RangerConditionEvaluator newConditionEvaluator(String className) {
if(LOG.isDebugEnabled()) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerCustomConditionEvaluator.newConditionEvaluator(" + className + ")");
}

RangerConditionEvaluator evaluator = null;

try {
@SuppressWarnings("unchecked")
Class<org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator> matcherClass = (Class<org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator>)Class.forName(className);
Class<RangerConditionEvaluator> evaluatorClass = (Class<RangerConditionEvaluator>)Class.forName(className);

evaluator = matcherClass.newInstance();
} catch(Throwable t) {
evaluator = evaluatorClass.newInstance();
} catch (Throwable t) {
LOG.error("RangerCustomConditionEvaluator.newConditionEvaluator(" + className + "): error instantiating evaluator", t);
}

if(LOG.isDebugEnabled()) {
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerCustomConditionEvaluator.newConditionEvaluator(" + className + "): " + evaluator);
}

Expand All @@ -199,4 +167,8 @@ private RangerConditionEvaluator newConditionEvaluator(String className) {
private boolean getConditionsDisabledOption(RangerPolicyEngineOptions options) {
return options != null && options.disableCustomConditions;
}

private static class SingletonHolder {
private static final RangerCustomConditionEvaluator s_instance = new RangerCustomConditionEvaluator();
}
}
18 changes: 5 additions & 13 deletions .../src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyE

dataMaskEvaluators = createDataMaskPolicyItemEvaluators(policy, serviceDef, options, policy.getDataMaskPolicyItems());
rowFilterEvaluators = createRowFilterPolicyItemEvaluators(policy, serviceDef, options, policy.getRowFilterPolicyItems());
conditionEvaluators = createRangerPolicyConditionEvaluator(policy, serviceDef, options);
conditionEvaluators = createPolicyConditionEvaluators(policy, serviceDef, options);
} else {
validityScheduleEvaluators = Collections.<RangerValidityScheduleEvaluator>emptyList();
allowEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
Expand Down Expand Up @@ -1542,20 +1542,12 @@ private boolean matchPolicyCustomConditions(RangerAccessRequest request) {
return ret;
}

private List<RangerConditionEvaluator> createRangerPolicyConditionEvaluator(RangerPolicy policy,
RangerServiceDef serviceDef,
RangerPolicyEngineOptions options) {
List<RangerConditionEvaluator> rangerConditionEvaluators = null;
private List<RangerConditionEvaluator> createPolicyConditionEvaluators(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
List<RangerConditionEvaluator> ret = RangerCustomConditionEvaluator.getInstance().getPolicyConditionEvaluators(policy, serviceDef, options);

RangerCustomConditionEvaluator rangerConditionEvaluator = new RangerCustomConditionEvaluator();
customConditionsCount += ret.size();

rangerConditionEvaluators = rangerConditionEvaluator.getRangerPolicyConditionEvaluator(policy,serviceDef,options);

if (rangerConditionEvaluators != null) {
customConditionsCount += rangerConditionEvaluators.size();
}

return rangerConditionEvaluators;
return ret;
}

}
52 changes: 1 addition & 51 deletions .../main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
Expand Down Expand Up @@ -61,9 +60,7 @@ public void init() {
LOG.debug("==> RangerDefaultPolicyItemEvaluator(policyId=" + policyId + ", policyItem=" + policyItem + ", serviceType=" + getServiceType() + ", conditionsDisabled=" + getConditionsDisabledOption() + ")");
}

RangerCustomConditionEvaluator rangerCustomConditionEvaluator = new RangerCustomConditionEvaluator();

conditionEvaluators = rangerCustomConditionEvaluator.getPolicyItemConditionEvaluator(policy, policyItem, serviceDef, options, policyItemIndex);
conditionEvaluators = RangerCustomConditionEvaluator.getInstance().getPolicyItemConditionEvaluators(policy, policyItem, serviceDef, options, policyItemIndex);

List<String> users = policyItem.getUsers();
this.hasCurrentUser = CollectionUtils.isNotEmpty(users) && users.contains(RangerPolicyEngine.USER_CURRENT);
Expand Down Expand Up @@ -291,51 +288,4 @@ public boolean matchCustomConditions(RangerAccessRequest request) {
public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) {
policyEvaluator.updateAccessResult(result, matchType, getPolicyItemType() != RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY, getComments());
}

RangerPolicyConditionDef getConditionDef(String conditionName) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyItemEvaluator.getConditionDef(" + conditionName + ")");
}

RangerPolicyConditionDef ret = null;

if (serviceDef != null && CollectionUtils.isNotEmpty(serviceDef.getPolicyConditions())) {
for (RangerPolicyConditionDef conditionDef : serviceDef.getPolicyConditions()) {
if (StringUtils.equals(conditionName, conditionDef.getName())) {
ret = conditionDef;

break;
}
}
}

if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyItemEvaluator.getConditionDef(" + conditionName + "): " + ret);
}

return ret;
}

RangerConditionEvaluator newConditionEvaluator(String className) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyItemEvaluator.newConditionEvaluator(" + className + ")");
}

RangerConditionEvaluator evaluator = null;

try {
@SuppressWarnings("unchecked")
Class<RangerConditionEvaluator> matcherClass = (Class<RangerConditionEvaluator>)Class.forName(className);

evaluator = matcherClass.newInstance();
} catch(Throwable t) {
LOG.error("RangerDefaultPolicyItemEvaluator.newConditionEvaluator(" + className + "): error instantiating evaluator", t);
}

if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyItemEvaluator.newConditionEvaluator(" + className + "): " + evaluator);
}

return evaluator;
}
}
Loading

0 comments on commit 105f6f5

Please sign in to comment.