From 45e1829b306ad2d96d41f07c6459cc1e58800f9d Mon Sep 17 00:00:00 2001 From: ektavarma10 <147537555+ektavarma10@users.noreply.github.com> Date: Wed, 6 Dec 2023 11:15:26 +0530 Subject: [PATCH] Revert "Add optimisation for classification access." --- .../authorizer/RangerAtlasAuthorizer.java | 181 +++++------------- 1 file changed, 52 insertions(+), 129 deletions(-) diff --git a/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java index 97c3ad07ae..6462931f93 100644 --- a/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java +++ b/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java @@ -53,22 +53,7 @@ import org.apache.atlas.plugin.service.RangerBasePlugin; import org.apache.atlas.plugin.util.RangerPerfTracer; - -import java.util.Collections; -import java.util.HashSet; -import java.util.List; -import java.util.ListIterator; -import java.util.ArrayList; -import java.util.Set; -import java.util.Map; -import java.util.HashMap; -import java.util.UUID; -import java.util.Collection; - - -import java.util.concurrent.CompletableFuture; -import java.util.concurrent.ExecutorService; -import java.util.concurrent.Executors; +import java.util.*; import static org.apache.atlas.authorization.atlas.authorizer.RangerAtlasAuthorizerUtil.*; import static org.apache.atlas.authorize.AtlasAuthorizationUtils.getCurrentUserGroups; @@ -89,8 +74,6 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer { add(AtlasPrivilege.ENTITY_UPDATE_CLASSIFICATION); }}; - private static final ExecutorService classificationAccessThreadpool = Executors.newFixedThreadPool(20); - @Override public void init() { if (LOG.isDebugEnabled()) { @@ -257,7 +240,7 @@ public boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAutho boolean isAuditDisabled = ACCESS_TYPE_TYPE_READ.equalsIgnoreCase(action); if (isAuditDisabled) { - ret = checkAccess(rangerRequest, null, "", System.currentTimeMillis()); + ret = checkAccess(rangerRequest, null, ""); } else { ret = checkAccess(rangerRequest); } @@ -667,56 +650,71 @@ private boolean isAccessAllowed(AtlasEntityAccessRequest request, RangerAtlasAud if (LOG.isDebugEnabled()) { LOG.debug("==> isAccessAllowed(" + request + ")"); } - - String uuid = UUID.randomUUID().toString(); - long startTime = System.currentTimeMillis(); - LOG.info("start isAccessAllowed : " + startTime + " uuid: " + uuid); boolean ret = false; + long startTime = System.currentTimeMillis(); + final String uuid = UUID.randomUUID().toString(); try { + final String action = request.getAction() != null ? request.getAction().getType() : null; + final Set entityTypes = request.getEntityTypeAndAllSuperTypes(); + final String entityId = request.getEntityId(); + final String classification = request.getClassification() != null ? request.getClassification().getTypeName() : null; + final RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(); + final RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl(); + final String ownerUser = request.getEntity() != null ? (String) request.getEntity().getAttribute(RESOURCE_ENTITY_OWNER) : null; + + rangerResource.setValue(RESOURCE_ENTITY_TYPE, entityTypes); + rangerResource.setValue(RESOURCE_ENTITY_ID, entityId); + rangerResource.setOwnerUser(ownerUser); + rangerRequest.setAccessType(action); + rangerRequest.setAction(action); + rangerRequest.setUser(request.getUser()); + rangerRequest.setUserGroups(request.getUserGroups()); + rangerRequest.setClientIPAddress(request.getClientIPAddress()); + rangerRequest.setAccessTime(request.getAccessTime()); + rangerRequest.setResource(rangerResource); + rangerRequest.setForwardedAddresses(request.getForwardedAddresses()); + rangerRequest.setRemoteIPAddress(request.getRemoteIPAddress()); + + if (AtlasPrivilege.ENTITY_ADD_LABEL.equals(request.getAction()) || AtlasPrivilege.ENTITY_REMOVE_LABEL.equals(request.getAction())) { + rangerResource.setValue(RESOURCE_ENTITY_LABEL, request.getLabel()); + } else if (AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA.equals(request.getAction())) { + rangerResource.setValue(RESOURCE_ENTITY_BUSINESS_METADATA, request.getBusinessMetadata()); + } else if (StringUtils.isNotEmpty(classification) && CLASSIFICATION_PRIVILEGES.contains(request.getAction())) { + rangerResource.setValue(RESOURCE_CLASSIFICATION, request.getClassificationTypeAndAllSuperTypes(classification)); + } if (CollectionUtils.isNotEmpty(request.getEntityClassifications())) { Set entityClassifications = request.getEntityClassifications(); + Map contextOjb = rangerRequest.getContext(); Set rangerTagForEval = getRangerServiceTag(entityClassifications); - List> completableFutures = new ArrayList<>(); - LOG.info("isAccessAllowed started : " + startTime); + if (contextOjb == null) { + Map contextOjb1 = new HashMap(); + contextOjb1.put("CLASSIFICATIONS", rangerTagForEval); + rangerRequest.setContext(contextOjb1); + } else { + contextOjb.put("CLASSIFICATIONS", rangerTagForEval); + rangerRequest.setContext(contextOjb); + } // check authorization for each classification - LOG.info("start check authorization for each classification: " + (System.currentTimeMillis() - startTime)+ " uuid: " + uuid); + LOG.info("classification level authorization started: " + (System.currentTimeMillis()-startTime) + "uuid: "+uuid); for (AtlasClassification classificationToAuthorize : request.getEntityClassifications()) { - long rangerRequestCreationStartTime = System.currentTimeMillis(); - RangerAccessRequestImpl rangerRequest = createRangerAccessRequest(request, classificationToAuthorize, rangerTagForEval); - LOG.info("Time taken to create a ranger request for uuid: "+uuid+ "is "+ (System.currentTimeMillis()-rangerRequestCreationStartTime)); - long taskSubmissionTime = System.currentTimeMillis(); - completableFutures.add(CompletableFuture.supplyAsync(()->checkAccess(rangerRequest, auditHandler, uuid, taskSubmissionTime), classificationAccessThreadpool)); - } - - // wait for all threads to complete their execution - CompletableFuture.allOf(completableFutures.toArray(new CompletableFuture[0])).join(); - LOG.info("end check authorization for each classification: " + (System.currentTimeMillis() - startTime) + " uuid: " + uuid); - + rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, request.getClassificationTypeAndAllSuperTypes(classificationToAuthorize.getTypeName())); - // if all checkAccess calls return true, then ret is true, else it is false - ret = completableFutures - .stream() - .map(CompletableFuture::join) - .allMatch(result -> result == true); + ret = checkAccess(rangerRequest, auditHandler, uuid); + if (!ret) { + break; + } + } + LOG.info("classification level authorization ended: " + (System.currentTimeMillis()-startTime) + "uuid: "+uuid); } else { - - RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(); - RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl(); - - initRangerRequest(rangerRequest, request); - initRangerResource(rangerResource, request); - - rangerRequest.setResource(rangerResource); - rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, ENTITY_NOT_CLASSIFIED ); - ret = checkAccess(rangerRequest, auditHandler, uuid, System.currentTimeMillis()); + ret = checkAccess(rangerRequest, auditHandler, uuid); } } finally { @@ -728,81 +726,10 @@ private boolean isAccessAllowed(AtlasEntityAccessRequest request, RangerAtlasAud if (LOG.isDebugEnabled()) { LOG.debug("<== isAccessAllowed(" + request + "): " + ret); } - + LOG.info("isAccessAllowed ended: " + (System.currentTimeMillis()-startTime) + "uuid: "+uuid); return ret; } - private RangerAccessRequestImpl createRangerAccessRequest(AtlasEntityAccessRequest request, - AtlasClassification classificationToAuthorize, - Set rangerTagForEval) { - - long startTime = System.currentTimeMillis(); - LOG.info("createRangerAccessRequest start: " + startTime); - - RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(); - RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl(); - - initRangerRequest(rangerRequest, request); - initRangerResource(rangerResource, request); - - rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, request.getClassificationTypeAndAllSuperTypes(classificationToAuthorize.getTypeName())); - - rangerRequest.setResource(rangerResource); - - setClassificationContextForRanger(rangerTagForEval, rangerRequest); - - LOG.info("createRangerAccessRequest end: " + (System.currentTimeMillis() - startTime)); - - return rangerRequest; - - } - - private static void setClassificationContextForRanger(Set rangerTagForEval, RangerAccessRequestImpl rangerRequest) { - Map contextOjb = rangerRequest.getContext(); - - if (contextOjb == null) { - Map contextOjb1 = new HashMap(); - contextOjb1.put("CLASSIFICATIONS", rangerTagForEval); - rangerRequest.setContext(contextOjb1); - } else { - contextOjb.put("CLASSIFICATIONS", rangerTagForEval); - rangerRequest.setContext(contextOjb); - } - } - - private void initRangerRequest(RangerAccessRequestImpl rangerRequest, AtlasEntityAccessRequest request) { - final String action = request.getAction() != null ? request.getAction().getType() : null; - - rangerRequest.setAccessType(action); - rangerRequest.setAction(action); - rangerRequest.setUser(request.getUser()); - rangerRequest.setUserGroups(request.getUserGroups()); - rangerRequest.setClientIPAddress(request.getClientIPAddress()); - rangerRequest.setAccessTime(request.getAccessTime()); - rangerRequest.setForwardedAddresses(request.getForwardedAddresses()); - rangerRequest.setRemoteIPAddress(request.getRemoteIPAddress()); - } - - private void initRangerResource(RangerAccessResourceImpl rangerResource, AtlasEntityAccessRequest request) { - final Set entityTypes = request.getEntityTypeAndAllSuperTypes(); - final String entityId = request.getEntityId(); - final String ownerUser = request.getEntity() != null ? (String) request.getEntity().getAttribute(RESOURCE_ENTITY_OWNER) : null; - final String classification = request.getClassification() != null ? request.getClassification().getTypeName() : null; - - rangerResource.setValue(RESOURCE_ENTITY_TYPE, entityTypes); - rangerResource.setValue(RESOURCE_ENTITY_ID, entityId); - rangerResource.setOwnerUser(ownerUser); - - if (AtlasPrivilege.ENTITY_ADD_LABEL.equals(request.getAction()) || AtlasPrivilege.ENTITY_REMOVE_LABEL.equals(request.getAction())) { - rangerResource.setValue(RESOURCE_ENTITY_LABEL, request.getLabel()); - } else if (AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA.equals(request.getAction())) { - rangerResource.setValue(RESOURCE_ENTITY_BUSINESS_METADATA, request.getBusinessMetadata()); - } else if (StringUtils.isNotEmpty(classification) && CLASSIFICATION_PRIVILEGES.contains(request.getAction())) { - rangerResource.setValue(RESOURCE_CLASSIFICATION, request.getClassificationTypeAndAllSuperTypes(classification)); - } - - } - private void setClassificationsToRequestContext(Set entityClassifications, RangerAccessRequestImpl rangerRequest) { Map contextOjb = rangerRequest.getContext(); @@ -866,8 +793,7 @@ private boolean checkAccess(RangerAccessRequestImpl request) { return ret; } - private boolean checkAccess(RangerAccessRequestImpl request, RangerAtlasAuditHandler auditHandler, String uuid, long taskSubmissionTime) { - LOG.info("wait time for checkAccess is "+ (System.currentTimeMillis() - taskSubmissionTime)); + private boolean checkAccess(RangerAccessRequestImpl request, RangerAtlasAuditHandler auditHandler, String uuid) { boolean ret = false; long startTime = System.currentTimeMillis(); LOG.info("checkAccess started at: " + startTime + " uuid: " + uuid); @@ -944,10 +870,7 @@ private void checkAccessAndScrub(AtlasEntityHeader entity, AtlasSearchResultScru boolean isEntityAccessAllowed = isScrubAuditEnabled ? isAccessAllowed(entityAccessRequest) : isAccessAllowed(entityAccessRequest, null); if (!isEntityAccessAllowed) { - long startTime = System.currentTimeMillis(); - LOG.info("scrubEntityHeader started" + startTime); scrubEntityHeader(entity, request.getTypeRegistry()); - LOG.info("scrubEntityHeader ended" + (System.currentTimeMillis() - startTime)); } } }