From b3a817aafa4082bf1a28fc71d4ad0be8965fdded Mon Sep 17 00:00:00 2001
From: "fateh288@gmail.com" <fateh288@gmail.com>
Date: Mon, 15 Sep 2025 14:29:41 -0700
Subject: [PATCH] RANGER-5230: add configuration to force policy engine to
 update its policy cache synchronously

---
 .../plugin/service/RangerBasePlugin.java      | 30 +++++++++++++++++--
 .../scripts/create-ranger-services.py         | 25 +++++++++++-----
 2 files changed, 44 insertions(+), 11 deletions(-)

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 606062bd95..ca85abdb4e 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -77,7 +77,7 @@ public class RangerBasePlugin {
 	private final boolean                     dedupStrings;
 	private       boolean                     isUserStoreEnricherAddedImplcitly = false;
 	private       Map<String, String>         serviceConfigs;
-
+	private       boolean                     synchronousPolicyRefresh;
 
 	public RangerBasePlugin(String serviceType, String appId) {
 		this(new RangerPluginConfig(serviceType, null, appId, null, null, null));
@@ -362,6 +362,12 @@ public void setPolicies(ServicePolicies policies) {
 			}
 		}
 
+		String isSyncPolicyRefresh = this.pluginConfig == null ? null : this.serviceConfigs.get(this.pluginConfig.getPropertyPrefix() + ".policy.refresh.synchronous");
+		this.synchronousPolicyRefresh = Boolean.parseBoolean(isSyncPolicyRefresh);
+		if (this.synchronousPolicyRefresh) {
+			LOG.info("synchronousPolicyRefresh = {}", this.synchronousPolicyRefresh);
+		}
+
 		// guard against catastrophic failure during policy engine Initialization or
 		try {
 			RangerPolicyEngine oldPolicyEngine = this.policyEngine;
@@ -558,6 +564,9 @@ public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessReq
 	}
 
 	public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
+		if (this.synchronousPolicyRefresh) {
+			refreshPoliciesAndTags();
+		}
 		RangerAccessResult ret          = null;
 		RangerPolicyEngine policyEngine = this.policyEngine;
 
@@ -603,6 +612,9 @@ public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAcc
 	}
 
 	public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests, RangerAccessResultProcessor resultProcessor) {
+		if (this.synchronousPolicyRefresh) {
+			refreshPoliciesAndTags();
+		}
 		Collection<RangerAccessResult> ret          = null;
 		RangerPolicyEngine             policyEngine = this.policyEngine;
 
@@ -644,6 +656,9 @@ public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessReq
 	}
 
 	public RangerAccessResult evalDataMaskPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
+		if (this.synchronousPolicyRefresh) {
+			refreshPoliciesAndTags();
+		}
 		RangerPolicyEngine policyEngine = this.policyEngine;
 		RangerAccessResult ret          = null;
 
@@ -680,6 +695,9 @@ public RangerAccessResult evalDataMaskPolicies(RangerAccessRequest request, Rang
 	}
 
 	public RangerAccessResult evalRowFilterPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
+		if (this.synchronousPolicyRefresh) {
+			refreshPoliciesAndTags();
+		}
 		RangerPolicyEngine policyEngine = this.policyEngine;
 		RangerAccessResult ret          = null;
 
@@ -716,6 +734,9 @@ public RangerAccessResult evalRowFilterPolicies(RangerAccessRequest request, Ran
 	}
 
 	public void evalAuditPolicies(RangerAccessResult result) {
+		if (this.synchronousPolicyRefresh) {
+			refreshPoliciesAndTags();
+		}
 		RangerPolicyEngine policyEngine = this.policyEngine;
 
 		if (policyEngine != null) {
@@ -738,6 +759,9 @@ public RangerResourceACLs getResourceACLs(RangerAccessRequest request) {
 	}
 
 	public RangerResourceACLs getResourceACLs(RangerAccessRequest request, Integer policyType) {
+		if (this.synchronousPolicyRefresh) {
+			refreshPoliciesAndTags();
+		}
 		RangerResourceACLs ret          = null;
 		RangerPolicyEngine policyEngine = this.policyEngine;
 
@@ -1037,7 +1061,7 @@ public static RangerAdminClient createAdminClient(RangerPluginConfig pluginConfi
 
 	public void refreshPoliciesAndTags() {
 		if (LOG.isDebugEnabled()) {
-			LOG.debug("==> refreshPoliciesAndTags()");
+			LOG.debug("==> refreshPoliciesAndTags(): synchronousPolicyRefresh={}", synchronousPolicyRefresh);
 		}
 
 		try {
@@ -1224,7 +1248,7 @@ public static RangerResourceACLs getMergedResourceACLs(RangerResourceACLs baseAC
 	}
 
 	public Map<String, String> getServiceConfigs() {
-		return serviceConfigs;
+		return (serviceConfigs == null) ? Collections.emptyMap() : serviceConfigs;
 	}
 
 	protected RangerPolicyEngine getPolicyEngine() {
diff --git a/dev-support/ranger-docker/scripts/create-ranger-services.py b/dev-support/ranger-docker/scripts/create-ranger-services.py
index 45d6a77915..7e0ad7e386 100644
--- a/dev-support/ranger-docker/scripts/create-ranger-services.py
+++ b/dev-support/ranger-docker/scripts/create-ranger-services.py
@@ -17,24 +17,29 @@ def service_not_exists(service):
                       'configs': {'username': 'hdfs', 'password': 'hdfs',
                                   'fs.default.name': 'hdfs://ranger-hadoop:9000',
                                   'hadoop.security.authentication': 'simple',
-                                  'hadoop.security.authorization': 'true'}})
+                                  'hadoop.security.authorization': 'true',
+                                  'ranger.plugin.hdfs.policy.refresh.synchronous':'true'}})
 
 hive = RangerService({'name': 'dev_hive', 'type': 'hive',
                       'configs': {'username': 'hive', 'password': 'hive',
                                   'jdbc.driverClassName': 'org.apache.hive.jdbc.HiveDriver',
                                   'jdbc.url': 'jdbc:hive2://ranger-hive:10000',
-                                  'hadoop.security.authorization': 'true'}})
+                                  'hadoop.security.authorization': 'true',
+                                  'ranger.plugin.hive.policy.refresh.synchronous':'true'}})
 
 kafka = RangerService({'name': 'dev_kafka', 'type': 'kafka',
                        'configs': {'username': 'kafka', 'password': 'kafka',
-                                   'zookeeper.connect': 'ranger-zk.example.com:2181'}})
+                                   'zookeeper.connect': 'ranger-zk.example.com:2181',
+                                   'ranger.plugin.kafka.policy.refresh.synchronous':'true'}})
 
 knox = RangerService({'name': 'dev_knox', 'type': 'knox',
-                      'configs': {'username': 'knox', 'password': 'knox', 'knox.url': 'https://ranger-knox:8443'}})
+                      'configs': {'username': 'knox', 'password': 'knox', 'knox.url': 'https://ranger-knox:8443',
+                      'ranger.plugin.knox.policy.refresh.synchronous':'true'}})
 
 yarn = RangerService({'name': 'dev_yarn', 'type': 'yarn',
                       'configs': {'username': 'yarn', 'password': 'yarn',
-                                  'yarn.url': 'http://ranger-hadoop:8088'}})
+                                  'yarn.url': 'http://ranger-hadoop:8088',
+                                  'ranger.plugin.yarn.policy.refresh.synchronous':'true'}})
 
 hbase = RangerService({'name': 'dev_hbase', 'type': 'hbase',
                        'configs': {'username': 'hbase', 'password': 'hbase',
@@ -43,11 +48,13 @@ def service_not_exists(service):
                                    'hadoop.security.authorization': 'true',
                                    'hbase.zookeeper.property.clientPort': '2181',
                                    'hbase.zookeeper.quorum': 'ranger-zk',
-                                   'zookeeper.znode.parent': '/hbase'}})
+                                   'zookeeper.znode.parent': '/hbase',
+                                   'ranger.plugin.hbase.policy.refresh.synchronous':'true'}})
 
 kms = RangerService({'name': 'dev_kms', 'type': 'kms',
                      'configs': {'username': 'keyadmin', 'password': 'rangerR0cks!',
-                                 'provider': 'http://ranger-kms:9292'}})
+                                 'provider': 'http://ranger-kms:9292',
+                                 'ranger.plugin.kms.policy.refresh.synchronous':'true'}})
 
 trino = RangerService({'name': 'dev_trino',
                        'type': 'trino',
@@ -56,6 +63,7 @@ def service_not_exists(service):
                            'password': 'trino',
                            'jdbc.driverClassName': 'io.trino.jdbc.TrinoDriver',
                            'jdbc.url': 'jdbc:trino://ranger-trino:8080',
+                           'ranger.plugin.trino.policy.refresh.synchronous':'true'
                        }})
 
 ozone = RangerService({'name': 'dev_ozone',
@@ -63,7 +71,8 @@ def service_not_exists(service):
                        'displayName': 'dev_ozone',
                        'configs': {'username': 'hdfs', 'password': 'hdfs',
                                    'ozone.om.http-address': 'http://om:9874',
-                                   'hadoop.security.authentication': 'simple'}})
+                                   'hadoop.security.authentication': 'simple',
+                                   'ranger.plugin.ozone.policy.refresh.synchronous':'true'}})
 
 services = [hdfs, yarn, hive, hbase, kafka, knox, kms, trino, ozone]
 for service in services: