RANGER-4905:Reduce memory needed to create Ranger policy engine

(cherry picked from commit c0480ed)

Author: kulkabhay

agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java

@@ -29,11 +29,7 @@
 import org.apache.ranger.plugin.model.RangerServiceResource;
 import org.apache.ranger.plugin.model.RangerTag;
 import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
-import org.apache.ranger.plugin.policyengine.RangerAccessResource;
-import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
-import org.apache.ranger.plugin.policyengine.RangerResourceTrie;
+import org.apache.ranger.plugin.policyengine.*;
 import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
 import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
 import org.apache.ranger.plugin.util.DownloadTrigger;
@@ -437,7 +433,7 @@ private void processServiceTags(ServiceTags serviceTags) {
 
 			for (ListIterator<RangerServiceResource> iter = serviceResources.listIterator(); iter.hasNext(); ) {
 				RangerServiceResource        serviceResource        = iter.next();
-				RangerServiceResourceMatcher serviceResourceMatcher = createRangerServiceResourceMatcher(serviceResource, serviceDefHelper, hierarchies);
+				RangerServiceResourceMatcher serviceResourceMatcher = createRangerServiceResourceMatcher(serviceResource, serviceDefHelper, hierarchies, getPluginContext());
 
 				if (serviceResourceMatcher != null) {
 					resourceMatchers.add(serviceResourceMatcher);
@@ -484,7 +480,7 @@ private void processServiceTagDeltas(ServiceTags deltas, ServiceTags allServiceT
 
 			if (removedOldServiceResource) {
 				if (!StringUtils.isEmpty(serviceResource.getResourceSignature())) {
-					RangerServiceResourceMatcher resourceMatcher = createRangerServiceResourceMatcher(serviceResource, serviceDefHelper, hierarchies);
+					RangerServiceResourceMatcher resourceMatcher = createRangerServiceResourceMatcher(serviceResource, serviceDefHelper, hierarchies, getPluginContext());
 
 					if (resourceMatcher != null) {
 						for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) {
@@ -613,7 +609,7 @@ private boolean removeOldServiceResource(RangerServiceResource serviceResource,
 		return ret;
 	}
 
-	static public RangerServiceResourceMatcher createRangerServiceResourceMatcher(RangerServiceResource serviceResource, RangerServiceDefHelper serviceDefHelper, ResourceHierarchies hierarchies) {
+	static public RangerServiceResourceMatcher createRangerServiceResourceMatcher(RangerServiceResource serviceResource, RangerServiceDefHelper serviceDefHelper, ResourceHierarchies hierarchies, RangerPluginContext pluginContext) {
 
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("==> createRangerServiceResourceMatcher(serviceResource=" + serviceResource + ")");
@@ -644,6 +640,7 @@ static public RangerServiceResourceMatcher createRangerServiceResourceMatcher(Ra
 
 				matcher.setServiceDef(serviceDefHelper.getServiceDef());
 				matcher.setPolicyResources(serviceResource.getResourceElements(), policyType);
+				matcher.setPluginContext(pluginContext);
 
 				if (LOG.isDebugEnabled()) {
 					LOG.debug("RangerTagEnricher.setServiceTags() - Initializing matcher with (resource=" + serviceResource

agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java

@@ -354,7 +354,7 @@ private boolean validateZoneServiceInAllZones(List<RangerSecurityZone> zones, St
                     policyResources.put(resourceDefName, policyResource);
                 }
 
-                RangerZoneResourceMatcher matcher = new RangerZoneResourceMatcher(zone.getName(), policyResources, serviceDefHelper);
+                RangerZoneResourceMatcher matcher = new RangerZoneResourceMatcher(zone.getName(), policyResources, serviceDefHelper, null);
 
                 matchers.add(matcher);
                 resourceNames.addAll(policyResources.keySet());

agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java

@@ -21,6 +21,7 @@
 
 import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.policyengine.RangerPluginContext;
 import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
 import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
 import org.apache.ranger.plugin.policyresourcematcher.RangerResourceEvaluator;
@@ -41,17 +42,18 @@ public class RangerZoneResourceMatcher implements RangerResourceEvaluator {
     private final RangerPolicyResourceMatcher                    policyResourceMatcher;
     private RangerServiceDef.RangerResourceDef                   leafResourceDef;
 
-    public RangerZoneResourceMatcher(final String securityZoneName, final Map<String, RangerPolicy.RangerPolicyResource> policyResource, final RangerServiceDef serviceDef) {
-        this(securityZoneName, policyResource, new RangerServiceDefHelper(serviceDef));
+    public RangerZoneResourceMatcher(final String securityZoneName, final Map<String, RangerPolicy.RangerPolicyResource> policyResource, final RangerServiceDef serviceDef, RangerPluginContext pluginContext) {
+        this(securityZoneName, policyResource, new RangerServiceDefHelper(serviceDef), pluginContext);
     }
 
-    public RangerZoneResourceMatcher(final String securityZoneName, final Map<String, RangerPolicy.RangerPolicyResource> policyResource, final RangerServiceDefHelper serviceDefHelper) {
+    public RangerZoneResourceMatcher(final String securityZoneName, final Map<String, RangerPolicy.RangerPolicyResource> policyResource, final RangerServiceDefHelper serviceDefHelper, RangerPluginContext pluginContext) {
         final RangerServiceDef                   serviceDef   = serviceDefHelper.getServiceDef();
         final Collection<String>                 resourceKeys = policyResource.keySet();
         final RangerDefaultPolicyResourceMatcher matcher      = new RangerDefaultPolicyResourceMatcher();
 
         matcher.setServiceDef(serviceDef);
         matcher.setServiceDefHelper(serviceDefHelper);
+        matcher.setPluginContext(pluginContext);
 
         boolean found = false;
 

agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java

@@ -197,6 +197,7 @@ public PolicyEngine(ServicePolicies servicePolicies, RangerPluginContext pluginC
         }
 
         normalizeServiceDefs(servicePolicies);
+        pluginContext.cleanResourceMatchers();
 
         this.pluginContext = pluginContext;
         this.lock          = new RangerReadWriteLock(isUseReadWriteLock);

agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java

@@ -23,18 +23,26 @@
 import org.apache.ranger.admin.client.RangerAdminClient;
 import org.apache.ranger.admin.client.RangerAdminRESTClient;
 import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
 import org.apache.ranger.plugin.service.RangerAuthContext;
 import org.apache.ranger.plugin.service.RangerAuthContextListener;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.locks.ReentrantReadWriteLock;
+
 public class RangerPluginContext {
 	private static final Logger LOG = LoggerFactory.getLogger(RangerPluginContext.class);
 
-	private final RangerPluginConfig        config;
-	private       RangerAuthContext         authContext;
-	private       RangerAuthContextListener authContextListener;
-	private 	  RangerAdminClient         adminClient;
+	private final    RangerPluginConfig                                                         config;
+	private          RangerAuthContext                                                          authContext;
+	private          RangerAuthContextListener                                                  authContextListener;
+	private          RangerAdminClient                                                          adminClient;
+	private	final 	 Map<String, Map<RangerPolicy.RangerPolicyResource, RangerResourceMatcher>> resourceMatchers = new HashMap<>();
+	private final    ReentrantReadWriteLock                                                     lock = new ReentrantReadWriteLock(true); // fair lock
 
 
 	public RangerPluginContext(RangerPluginConfig config) {
@@ -53,6 +61,65 @@ public String getClusterType() {
 
 	public RangerAuthContext getAuthContext() { return authContext; }
 
+	public RangerResourceMatcher getResourceMatcher(String resourceDefName, RangerPolicy.RangerPolicyResource resource) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> getResourceMatcher(resourceDefName={}, resource={})", resourceDefName, resource);
+		}
+		RangerResourceMatcher ret = null;
+
+		try {
+			lock.readLock().lock();
+
+			Map<RangerPolicy.RangerPolicyResource, RangerResourceMatcher> matchersForResource = resourceMatchers.get(resourceDefName);
+
+			if (matchersForResource != null) {
+				ret = matchersForResource.get(resource);
+			}
+		} finally {
+			lock.readLock().unlock();
+		}
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== getResourceMatcher(resourceDefName={}, resource={}) : ret={}", resourceDefName, resource, ret);
+		}
+
+		return ret;
+	}
+
+	public void setResourceMatcher(String resourceDefName, RangerPolicy.RangerPolicyResource resource, RangerResourceMatcher matcher) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> setResourceMatcher(resourceDefName={}, resource={}, matcher={})", resourceDefName, resource, matcher);
+		}
+		if (config != null && config.getPolicyEngineOptions().enableResourceMatcherReuse) {
+			try {
+				lock.writeLock().lock();
+
+				Map<RangerPolicy.RangerPolicyResource, RangerResourceMatcher> matchersForResource = resourceMatchers.computeIfAbsent(resourceDefName, k -> new HashMap<>());
+				matchersForResource.put(resource, matcher);
+			} finally {
+				lock.writeLock().unlock();
+			}
+		}
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== setResourceMatcher(resourceDefName={}, resource={}, matcher={})", resourceDefName, resource, matcher);
+		}
+	}
+
+	void cleanResourceMatchers() {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> cleanResourceMatchers()");
+		}
+		try {
+			lock.writeLock().lock();
+
+			resourceMatchers.clear();
+		} finally {
+			lock.writeLock().unlock();
+		}
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== cleanResourceMatchers()");
+		}
+	}
+
 	public void setAuthContext(RangerAuthContext authContext) { this.authContext = authContext; }
 
 	public void setAuthContextListener(RangerAuthContextListener authContextListener) { this.authContextListener = authContextListener; }

agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java

@@ -36,6 +36,7 @@ public class RangerPolicyEngineOptions {
 	public boolean evaluateDelegateAdminOnly = false;
 	public boolean enableTagEnricherWithLocalRefresher = false;
 	public boolean enableUserStoreEnricherWithLocalRefresher = false;
+	public boolean enableResourceMatcherReuse = true;
 	@Deprecated
 	public boolean disableAccessEvaluationWithPolicyACLSummary = true;
 	public boolean optimizeTrieForRetrieval = false;
@@ -61,6 +62,7 @@ public RangerPolicyEngineOptions(final RangerPolicyEngineOptions other) {
 		this.evaluateDelegateAdminOnly = other.evaluateDelegateAdminOnly;
 		this.enableTagEnricherWithLocalRefresher = other.enableTagEnricherWithLocalRefresher;
 		this.enableUserStoreEnricherWithLocalRefresher = other.enableUserStoreEnricherWithLocalRefresher;
+		this.enableResourceMatcherReuse = other.enableResourceMatcherReuse;
 		this.optimizeTrieForRetrieval = other.optimizeTrieForRetrieval;
 		this.disableRoleResolution = other.disableRoleResolution;
 		this.serviceDefHelper = null;
@@ -79,6 +81,7 @@ public void configureForPlugin(Configuration conf, String propertyPrefix) {
 		disableUserStoreRetriever = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.userstore.retriever", false);
 
 		cacheAuditResults = conf.getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", true);
+		enableResourceMatcherReuse = conf.getBoolean(propertyPrefix + ".policyengine.option.enable.resourcematcher.reuse", true);
 
 		if (!disableTrieLookupPrefilter) {
 			cacheAuditResults = false;
@@ -109,6 +112,7 @@ public void configureDefaultRangerAdmin(Configuration conf, String propertyPrefi
 		enableUserStoreEnricherWithLocalRefresher = false;
 		optimizeTrieForRetrieval = conf.getBoolean(propertyPrefix + ".policyengine.option.optimize.trie.for.retrieval", false);
 		disableRoleResolution = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.role.resolution", true);
+		enableResourceMatcherReuse = conf.getBoolean(propertyPrefix + ".policyengine.option.enable.resourcematcher.reuse", true);
 	}
 
 	public void configureDelegateAdmin(Configuration conf, String propertyPrefix) {
@@ -120,6 +124,7 @@ public void configureDelegateAdmin(Configuration conf, String propertyPrefix) {
 		disableTagRetriever = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.tag.retriever", true);
 		disableUserStoreRetriever = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.userstore.retriever", true);
 		optimizeTrieForRetrieval = conf.getBoolean(propertyPrefix + ".policyengine.option.optimize.trie.for.retrieval", false);
+		enableResourceMatcherReuse = conf.getBoolean(propertyPrefix + ".policyengine.option.enable.resourcematcher.reuse", true);
 
 		cacheAuditResults = false;
 		evaluateDelegateAdminOnly = true;
@@ -145,6 +150,7 @@ public void configureRangerAdminForPolicySearch(Configuration conf, String prope
 		optimizeTrieForSpace = conf.getBoolean(propertyPrefix + ".policyengine.option.optimize.trie.for.space", false);
 		optimizeTagTrieForRetrieval = conf.getBoolean(propertyPrefix + ".policyengine.option.optimize.tag.trie.for.retrieval", false);
 		optimizeTagTrieForSpace = conf.getBoolean(propertyPrefix + ".policyengine.option.optimize.tag.trie.for.space", true);
+		enableResourceMatcherReuse = conf.getBoolean(propertyPrefix + ".policyengine.option.enable.resourcematcher.reuse", true);
 	}
 
 	public RangerServiceDefHelper getServiceDefHelper() {
@@ -181,6 +187,7 @@ public boolean equals(Object other) {
 					&& this.optimizeTrieForSpace == that.optimizeTrieForSpace
 					&& this.optimizeTagTrieForRetrieval == that.optimizeTagTrieForRetrieval
 					&& this.optimizeTagTrieForSpace == that.optimizeTagTrieForSpace
+					&& this.enableResourceMatcherReuse == that.enableResourceMatcherReuse
 			;
 		}
 		return ret;
@@ -221,6 +228,8 @@ public int hashCode() {
 		ret *= 2;
 		ret += optimizeTagTrieForSpace ? 1 : 0;
 		ret *= 2;
+		ret += enableResourceMatcherReuse ? 1 : 0;
+		ret *= 2;
 		return ret;
 	}
 
@@ -244,6 +253,7 @@ public String toString() {
 				", optimizeTrieForSpace: " + optimizeTrieForSpace +
 				", optimizeTagTrieForRetrieval: " + optimizeTagTrieForRetrieval +
 				", optimizeTagTrieForSpace: " + optimizeTagTrieForSpace +
+				", enableResourceMatcherReuse: " + enableResourceMatcherReuse +
 				" }";
 
 	}

agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerSecurityZoneMatcher.java

@@ -171,7 +171,7 @@ private void buildZoneTrie(Map<String, SecurityZoneInfo> securityZones, RangerSe
                         policyResources.put(resourceDefName, new RangerPolicyResource(resourceValues, false, isRecursive));
                     }
 
-                    matchers.add(new RangerZoneResourceMatcher(zoneName, policyResources, serviceDef));
+                    matchers.add(new RangerZoneResourceMatcher(zoneName, policyResources, serviceDef, pluginContext));
 
                     if (LOG.isDebugEnabled()) {
                         LOG.debug("Built matcher for resource:[{}] in zone:[{}]", resource, zoneName);

agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java

@@ -542,6 +542,7 @@ public RangerDefaultPolicyResourceEvaluator(long id, Map<String, RangerPolicyRes
 			this.resourceMatcher.setPolicyResources(resource, policyType);
 			this.resourceMatcher.setServiceDef(serviceDef);
 			this.resourceMatcher.setServiceDefHelper(serviceDefHelper);
+			this.resourceMatcher.setPluginContext(pluginContext);
 			this.resourceMatcher.init();
 		}
 

agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java

@@ -37,6 +37,7 @@
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest.ResourceElementMatchingScope;
 import org.apache.ranger.plugin.policyengine.RangerAccessResource;
 import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerPluginContext;
 import org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher;
 import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
 import org.apache.ranger.plugin.util.RangerPerfTracer;
@@ -60,6 +61,7 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
     private List<RangerResourceDef>             validResourceHierarchy;
     private boolean                             isInitialized = false;
     private RangerServiceDefHelper              serviceDefHelper;
+    private RangerPluginContext                 pluginContext = null;
 
     private final boolean forceEnableWildcardMatch;
 
@@ -113,6 +115,9 @@ public void setServiceDefHelper(RangerServiceDefHelper serviceDefHelper) {
         this.serviceDefHelper = serviceDefHelper;
     }
 
+    @Override
+    public void setPluginContext(RangerPluginContext pluginContext) { this.pluginContext = pluginContext; }
+
     public int getPolicyType() { return policyType; }
 
     public RangerServiceDefHelper getServiceDefHelper() {
@@ -812,29 +817,41 @@ private RangerResourceMatcher createResourceMatcher(RangerResourceDef resourceDe
             String resName = resourceDef.getName();
             String clsName = resourceDef.getMatcher();
 
-            if (!StringUtils.isEmpty(clsName)) {
-                try {
-                    @SuppressWarnings("unchecked")
-                    Class<RangerResourceMatcher> matcherClass = (Class<RangerResourceMatcher>) Class.forName(clsName);
+            if (pluginContext != null) {
+                ret = pluginContext.getResourceMatcher(resName, resource);
+            }
+
+            if (ret == null) {
+                if (!StringUtils.isEmpty(clsName)) {
+                    try {
+                        @SuppressWarnings("unchecked") Class<RangerResourceMatcher> matcherClass = (Class<RangerResourceMatcher>) Class.forName(clsName);
 
-                    ret = matcherClass.newInstance();
-                } catch (Exception excp) {
-                    LOG.error("failed to instantiate resource matcher '" + clsName + "' for '" + resName + "'. Default resource matcher will be used", excp);
+                        ret = matcherClass.newInstance();
+                    } catch (Exception excp) {
+                        LOG.error("failed to instantiate resource matcher '" + clsName + "' for '" + resName + "'. Default resource matcher will be used", excp);
+                    }
                 }
-            }
 
 
-            if (ret == null) {
-                ret = new RangerDefaultResourceMatcher();
-            }
+                if (ret == null) {
+                    ret = new RangerDefaultResourceMatcher();
+                }
 
-            if (forceEnableWildcardMatch && !Boolean.parseBoolean(resourceDef.getMatcherOptions().get(OPTION_WILD_CARD))) {
-                resourceDef = serviceDefHelper.getWildcardEnabledResourceDef(resourceDef.getName(), policyType);
-            }
+                if (forceEnableWildcardMatch && !Boolean.parseBoolean(resourceDef.getMatcherOptions().get(OPTION_WILD_CARD))) {
+                    resourceDef = serviceDefHelper.getWildcardEnabledResourceDef(resourceDef.getName(), policyType);
+                }
 
-            ret.setResourceDef(resourceDef);
-            ret.setPolicyResource(resource);
-            ret.init();
+                ret.setResourceDef(resourceDef);
+                ret.setPolicyResource(resource);
+                ret.init();
+                if (pluginContext != null) {
+                    pluginContext.setResourceMatcher(resName, resource, ret);
+                }
+            } else {
+                if (LOG.isDebugEnabled()) {
+                    LOG.debug("Did not create a fresh matcher - used matcher from pluginContext");
+                }
+            }
         } else {
             LOG.error("RangerDefaultPolicyResourceMatcher: RangerResourceDef is null");
         }