RANGER-4378: removed static PolicyEngine.impliedAccessGrants - #3

agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java

@@ -21,7 +21,6 @@
 
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
@@ -66,15 +65,8 @@ public class PolicyEngine {
     private       boolean                             useForwardedIPAddress;
     private       String[]                            trustedProxyAddresses;
     private final Map<String, StringTokenReplacer>    tokenReplacers = new HashMap<>();
-
     private final RangerReadWriteLock                 lock;
 
-    static private Map<String, Map<String, Collection<String>>> impliedAccessGrants = null;
-
-    static public Map<String, Collection<String>> getImpliedAccessGrants(RangerServiceDef serviceDef) {
-        return impliedAccessGrants == null ? null : impliedAccessGrants.get(serviceDef.getName());
-    }
-
 
     public RangerReadWriteLock.RangerLock getReadLock() {
         return lock.getReadLock();
@@ -204,7 +196,7 @@ public PolicyEngine(ServicePolicies servicePolicies, RangerPluginContext pluginC
             PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (totalMemory - freeMemory) + ", Free memory:" + freeMemory);
         }
 
-        buildImpliedAccessGrants(servicePolicies);
+        normalizeServiceDefs(servicePolicies);
 
         this.pluginContext = pluginContext;
         this.lock          = new RangerReadWriteLock(isUseReadWriteLock);
@@ -482,32 +474,20 @@ public void preCleanup(boolean isForced) {
         }
     }
 
-    synchronized static private void buildImpliedAccessGrants(ServicePolicies servicePolicies) {
+    private void normalizeServiceDefs(ServicePolicies servicePolicies) {
         RangerServiceDef serviceDef = servicePolicies.getServiceDef();
 
         if (serviceDef != null) {
-            buildImpliedAccessGrants(ServiceDefUtil.normalize(serviceDef));
+            ServiceDefUtil.normalize(serviceDef);
 
             RangerServiceDef tagServiceDef = servicePolicies.getTagPolicies() != null ? servicePolicies.getTagPolicies().getServiceDef() : null;
 
             if (tagServiceDef != null) {
-                buildImpliedAccessGrants(ServiceDefUtil.normalizeAccessTypeDefs(ServiceDefUtil.normalize(tagServiceDef), serviceDef.getName()));
+                ServiceDefUtil.normalizeAccessTypeDefs(ServiceDefUtil.normalize(tagServiceDef), serviceDef.getName());
             }
         }
     }
 
-    static private void buildImpliedAccessGrants(RangerServiceDef serviceDef) {
-        if (serviceDef != null) {
-            RangerServiceDefHelper helper = new RangerServiceDefHelper(serviceDef, false);
-
-            if (impliedAccessGrants == null) {
-                impliedAccessGrants = Collections.synchronizedMap(new HashMap<>());
-            }
-
-            impliedAccessGrants.put(serviceDef.getName(), helper.getImpliedAccessGrants());
-        }
-    }
-
     private PolicyEngine(final PolicyEngine other, ServicePolicies servicePolicies) {
         this.useForwardedIPAddress = other.useForwardedIPAddress;
         this.trustedProxyAddresses = other.trustedProxyAddresses;

agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java

@@ -29,7 +29,6 @@
 import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
 import org.apache.ranger.plugin.model.RangerServiceDef;
-import org.apache.ranger.plugin.policyengine.PolicyEngine;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
 
@@ -118,7 +117,7 @@ protected RangerPolicyItem computeWithImpliedGrants() {
 				ret = policyItem;
 			} else {
 				// Compute implied-accesses
-				Map<String, Collection<String>> impliedAccessGrants = PolicyEngine.getImpliedAccessGrants(serviceDef);
+				Map<String, Collection<String>> impliedAccessGrants = options.getServiceDefHelper().getImpliedAccessGrants();
 
 				if (impliedAccessGrants != null && !impliedAccessGrants.isEmpty()) {
 					ret = new RangerPolicyItem(policyItem);

agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java

@@ -100,10 +100,10 @@ public void evaluate(RangerAccessRequest request, RangerAccessResult result) {
     }
 
     @Override
-    protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef) {
-        super.preprocessPolicy(policy, serviceDef);
+    protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
+        super.preprocessPolicy(policy, serviceDef, options);
 
-        Map<String, Collection<String>> impliedAccessGrants = PolicyEngine.getImpliedAccessGrants(serviceDef);
+        Map<String, Collection<String>> impliedAccessGrants = options.getServiceDefHelper().getImpliedAccessGrants();
 
         if (impliedAccessGrants == null || impliedAccessGrants.isEmpty()) {
             return;

agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java

@@ -42,7 +42,6 @@
 import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef;
 import org.apache.ranger.plugin.model.RangerValiditySchedule;
-import org.apache.ranger.plugin.policyengine.PolicyEngine;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequestWrapper;
 import org.apache.ranger.plugin.policyengine.RangerAccessResource;
@@ -128,15 +127,15 @@ public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyE
 
 		policy = getPolicy();
 
-		preprocessPolicy(policy, serviceDef);
+		preprocessPolicy(policy, serviceDef, options);
 
 		if(policy != null) {
 			validityScheduleEvaluators = createValidityScheduleEvaluators(policy);
 
 			this.disableRoleResolution = options.disableRoleResolution;
 
 			if (!options.disableAccessEvaluationWithPolicyACLSummary) {
-				aclSummary = createPolicyACLSummary();
+				aclSummary = createPolicyACLSummary(options.getServiceDefHelper().getImpliedAccessGrants());
 			}
 
 			useAclSummaryForEvaluation = aclSummary != null;
@@ -549,7 +548,7 @@ public void getResourceAccessInfo(RangerAccessRequest request, RangerResourceAcc
 	public PolicyACLSummary getPolicyACLSummary() {
 		if (aclSummary == null) {
 			boolean forceCreation = true;
-			aclSummary = createPolicyACLSummary(forceCreation);
+			aclSummary = createPolicyACLSummary(ServiceDefUtil.getExpandedImpliedGrants(getServiceDef()), forceCreation);
 		}
 
 		return aclSummary;
@@ -590,12 +589,12 @@ PolicyACLSummary for access evaluation (that is, if disableAccessEvaluationWithP
 		is set to false). It may return null object if all accesses for all user/groups cannot be determined statically.
 	*/
 
-	private PolicyACLSummary createPolicyACLSummary() {
+	private PolicyACLSummary createPolicyACLSummary(Map<String, Collection<String>> impliedAccessGrants) {
 		boolean forceCreation = false;
-		return createPolicyACLSummary(forceCreation);
+		return createPolicyACLSummary(impliedAccessGrants, forceCreation);
 	}
 
-	private PolicyACLSummary createPolicyACLSummary(boolean isCreationForced) {
+	private PolicyACLSummary createPolicyACLSummary(Map<String, Collection<String>> impliedAccessGrants, boolean isCreationForced) {
 		PolicyACLSummary ret  = null;
 		RangerPerfTracer perf = null;
 
@@ -625,8 +624,6 @@ private PolicyACLSummary createPolicyACLSummary(boolean isCreationForced) {
 
 		if (isUsableForEvaluation || isCreationForced) {
 			ret = new PolicyACLSummary();
-			Map<String, Collection<String>> impliedAccessGrants = PolicyEngine.getImpliedAccessGrants(getServiceDef());
-
 
 			for (RangerPolicyItem policyItem : policy.getDenyPolicyItems()) {
 				ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY, hasNonPublicGroupOrConditionsInDenyExceptions || hasPublicGroupInDenyAndUsersInDenyExceptions, impliedAccessGrants);
@@ -1166,13 +1163,13 @@ public StringBuilder toString(StringBuilder sb) {
 		return sb;
 	}
 
-	protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef) {
+	protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
 		if(policy == null || (!hasAllow() && !hasDeny()) || serviceDef == null) {
 			return;
 		}
 		/*
 
-		Map<String, Collection<String>> impliedAccessGrants = getImpliedAccessGrants(serviceDef);
+		Map<String, Collection<String>> impliedAccessGrants = options.getServiceDefHelper().getImpliedAccessGrants();
 
 		if(impliedAccessGrants == null || impliedAccessGrants.isEmpty()) {
 			return;