Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-4733

Bug in tag policy cache computation for a given service - irrelevant tag policies found

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • Ranger
    • None

    Description

      While testing the hasTagPolicies function of the policy engine, I observed that even though for a given service, there are no tag based policies, still some tag based policies are found in the policy cache for a given service.

       

       

      PolicyEngine.java
    public boolean hasTagPolicies(RangerPolicyRepository tagPolicyRepository) {
        if (LOG.isDebugEnabled()){
            LOG.debug("PolicyEngine.hasTagPolicies tagPolicies="+tagPolicyRepository.getPolicies().toString());
        }
        return tagPolicyRepository != null && CollectionUtils.isNotEmpty(tagPolicyRepository.getPolicies());
    }

       

       

      Below scenarios were tested for analysis-

      Scenario 1: If an existing policy which has base as a policy and is now modified such that base is no longer a service mentioned in any of the conditions in the tag based policy, then “policies” still has this tag based policy but with various conditions and policy items as empty lists (this is unexpected behavior because ideally, policies list should have been empty instead of it existing but policy items being empty)

      Scenario 2: If a new tag policy is created but hbase is not mentioned as a service, then still “policies” list has this policy in the hbase policy cache (with policy items list being empty) which is unexpected behavior (similar to Scenario 1)

      Scenario 3: If a tag policy is disabled (and there are no other tag policies), then the tag repository exists but “policies” list does not exist in the tagPolicies data structure (which is expected behavior i.e. policy is deleted from policy cache)

      Scenario 4: If all tag policies for cm_tag are either disabled or deleted then “policies” list does not exist (expected behavior similar to Scenario 3)

      Scenario 5: cm_tag is disassociated from hbase- tag policy respository I.e. tagPolicies in policy cache is removed (which is the expected behavior)

       

      Illustration of Scenario 1:

      When Hbase is listed as a service in a tag based policy item:

       

      2024-03-04 16:13:31,853 DEBUG org.apache.ranger.plugin.policyengine.PolicyEngine: PolicyEngine.hasTagPolicies tagPolicies=[RangerPolicy={id={4} guid={3d82d579-bce0-4527-a23e-53dbcda21f4d} isEnabled={true} createdBy={null} updatedBy={null} createTime={null} updateTime={null} version={3} service={cm_tag} name={EXPIRES_ON} policyType={0} policyPriority={0} description={Policy for data with EXPIRES_ON tag} resourceSignature={null} isAuditEnabled={true} serviceType={tag} resources={tag={RangerPolicyResource={values={EXPIRES_ON } isExcludes={false} isRecursive={false} }} } policyLabels={} policyConditions={} policyItems={} denyPolicyItems={RangerPolicyItem={accessTypes={RangerPolicyItemAccess={type={read} isAllowed={true} }RangerPolicyItemAccess={type={write} isAllowed={true} }RangerPolicyItemAccess={type={create} isAllowed={true} }RangerPolicyItemAccess={type={admin} isAllowed={true} }RangerPolicyItemAccess={type={execute} isAllowed={true} }} users={} groups={public } roles={} conditions={RangerPolicyCondition={type={accessed-after-expiry} values={yes } }} delegateAdmin={false} }} allowExceptions={} denyExceptions={} dataMaskPolicyItems={} rowFilterPolicyItems={} options={} validitySchedules={, zoneName=null, isDenyAllElse={false} }}]
 

       

      When Hbase is removed from all tag based policies :

      2024-03-04 16:25:01,584 DEBUG org.apache.ranger.plugin.policyengine.PolicyEngine: PolicyEngine.hasTagPolicies tagPolicies=[RangerPolicy={id={4} guid={3d82d579-bce0-4527-a23e-53dbcda21f4d} isEnabled={true} createdBy={null} updatedBy={null} createTime={null} updateTime={null} version={4} service={cm_tag} name={EXPIRES_ON} policyType={0} policyPriority={0} description={Policy for data with EXPIRES_ON tag} resourceSignature={null} isAuditEnabled={true} serviceType={tag} resources={tag={RangerPolicyResource={values={EXPIRES_ON } isExcludes={false} isRecursive={false} }} } policyLabels={} policyConditions={} policyItems={} denyPolicyItems={} allowExceptions={} denyExceptions={} dataMaskPolicyItems={} rowFilterPolicyItems={} options={} validitySchedules={, zoneName=null, isDenyAllElse={false} }}]

      Note here that policy still exists but the items lists are empty here instead of policy not existing in hbase policy cache

       

      Scenario 1 and Scenario 2 need to be fixed so that no tag based policies should be there in policy cache of a service if there are no relevant policies (instead of returning all policies relevant to other services but with empty policy items in the data structure)

       

      Impact: While no impact in policy evaluation, there could be performance impact due to this because if there are tag policies found then various computations are performed for every request such as finding relevant tags etc.

      Attachments

        Activity

          People

            fateh288 Fateh Singh
            fateh288 Fateh Singh
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: