ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Madhan Neethiraj <mad...@apache.org>
Subject Re: Review Request 60949: Optimize Ranger code for authorization of HDFS 'getContentSummary' and 'delete' commands
Date Tue, 25 Jul 2017 04:39:43 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60949/#review181314
-----------------------------------------------------------




hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
Lines 340 (patched)
<https://reviews.apache.org/r/60949/#comment256845>

    evaluateAccess() is used only for column family authorizations. Some requirePermission()
calls end up calling AuthorizationSession.authorize(), without hitting evaluateAccess() -
like postGetTableDescriptors(), authorizeAccess(),  Please review.
    
    Consider adding perf-log to a higher level method like requirePermission() - which can
capture the time taken by audit as well.
    
    Even with this change, some authorizatin calls from the component would end up producing
multiple perf-logs - for example: preCheckAndDelete(), preCheckAndPut(), preIncrementColumnValue(),
postListProcedures(). It will be good to address this as well.



hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
Lines 409 (patched)
<https://reviews.apache.org/r/60949/#comment256846>

    Time taken for native authorization is aleady included in checkPermission(). Additional
level of perf measurement may not be useful.



plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
Lines 196 (patched)
<https://reviews.apache.org/r/60949/#comment256848>

    Consider moving this to earlier point, @ line #134 - to ensure that the log captures the
total time spent in the authorizer. Similarly for other authorizer calls as well.


- Madhan Neethiraj


On July 19, 2017, 12:57 a.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/60949/
> -----------------------------------------------------------
> 
> (Updated July 19, 2017, 12:57 a.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-1695
>     https://issues.apache.org/jira/browse/RANGER-1695
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> HDFS commands such as getContentSummary and delete require Ranger to authorize access
to entire directory hierarchy rooted at the directory passed in as argument. Ranger could
optimize this code by pruning the directory tree whenever a sub-directory, and directory hierarchy
rooted in it, is authorized for requested access. This could potentially save many spurious
authorization API calls with Ranger policy engine.
> Also, it will be useful to gather and log performance metrics for the Ranger authorization
API call for every Ranger plugin.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
83f720a 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
101013b 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
63162f6 
>   agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
06b8f4d 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfCollectorTracer.java
d899c6f 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
cf2ffcf 
>   hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
d28685a 
>   hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/HDFSRangerTest.java fe6a705

>   hdfs-agent/src/test/resources/hdfs-policies.json 6055dd5 
>   hdfs-agent/src/test/resources/log4j.properties PRE-CREATION 
>   hdfs-agent/src/test/resources/ranger-hdfs-security.xml 9b1176e 
>   hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
56ef187 
>   knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
1d58b21 
>   plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
9712f95 
>   plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
b6e052f 
>   plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
4cda8fa 
>   plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java
0cc9de9 
>   plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
c589060 
>   ranger-tools/conf/log4j.properties 4ead802 
>   ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java
056c548 
>   storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java
23c2b5f 
> 
> 
> Diff: https://reviews.apache.org/r/60949/diff/1/
> 
> 
> Testing
> -------
> 
> Tested with local VM
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message