Skip to content

RANGER-3899: performance improvement for policies with many users/groups/roles (ranger-2.9)#970

Merged
ramackri merged 5 commits into
ranger-2.9from
RANGER-3899-patch-release
May 26, 2026
Merged

RANGER-3899: performance improvement for policies with many users/groups/roles (ranger-2.9)#970
ramackri merged 5 commits into
ranger-2.9from
RANGER-3899-patch-release

Conversation

@ramackri
Copy link
Copy Markdown
Contributor

@ramackri ramackri commented May 25, 2026
edited
Loading

What changes were proposed in this pull request?

Backport of apache/ranger@d1589d629 (RANGER-3899) to ranger-2.9:

  • Batch ID lookups in policy ref DAOs / named queries
  • PolicyRefUpdater optimizations and ServiceDBStore update-path changes
  • JaCoCo fix in dev-support/checks/coverage.sh

Follow-up on this branch: fix TestServiceDBStore.tess28updatePolicy for the new ref-table API; omit TestPolicyRefUpdater (JUnit 5) because ranger-2.9 security-admin still uses Surefire 2.18.1 — no Surefire/JUnit5 pom change for this release backport.

How was this patch tested?

  • mvn -pl security-admin test -Dtest=TestServiceDBStore (47 tests, pass)
  • mvn -pl security-admin pmd:check (pass)

Summary

Manual smoke verification of policy test123 (policy ID 48) on the dev_hive service after local Docker deployment. Focus: users/groups/roles on policy edit and consistency between REST API and x_policy_ref_* tables (policy ref updater path).

Test environment

Item Value
Ranger Admin http://localhost:6080
Build Local Docker (Postgres + Admin only)
Service HIVE — dev_hive (service ID 5)
Policy test123 (policy ID 48)
Edit URL http://localhost:6080/index.html#/service/5/policies/48/edit
DB Postgres (ranger-postgres)

Verification performed

Infrastructure

Check Result
Ranger Admin reachable ✅ HTTP 200 on login page
Admin UI / REST API ✅ Authenticated successfully

Policy 48 — REST API (GET /service/public/v2/api/policy/48)

Check Result
Policy name test123
Service dev_hive
Allow policy items 1
Users (7) ramk, admin, keyadmin, knox, hbase, hdfs, rangertagsync
Groups (5) TestGroup1TestGroup5
Roles (4) TestRole1, TestRole3, TestRole4, TestRole5

Database — x_policy_ref_* (policy_id = 48)

Table Result
x_policy_ref_user ✅ Same 7 users as API
x_policy_ref_group ✅ Same 5 groups as API
x_policy_ref_role ✅ Same 4 roles as API

Conclusion: Persisted policy state is consistent between REST API and ref tables on read — good signal for the ref-updater persistence path.

Manually tested In the local Docker setup

  • UI: incremental add user / group / role → Save → reopen policy
  • UI: incremental remove one principal → Save → reopen
  • UI: Deny and Allow exception rows with principals

How to reproduce

# Policy via REST (replace credentials as needed)
curl -s -u admin:'<password>' \
  'http://localhost:6080/service/public/v2/api/policy/48' | jq '.name, .service, .policyItems'

# Ref tables
docker exec ranger-postgres psql -U postgres -d ranger -c \
  "SELECT user_name FROM x_policy_ref_user WHERE policy_id=48 ORDER BY 1;"
docker exec ranger-postgres psql -U postgres -d ranger -c \
  "SELECT group_name FROM x_policy_ref_group WHERE policy_id=48 ORDER BY 1;"
docker exec ranger-postgres psql -U postgres -d ranger -c \
  "SELECT role_name FROM x_policy_ref_role WHERE policy_id=48 ORDER BY 1;"

ramk and others added 2 commits May 25, 2026 08:22
@cursoragent
RANGER-3899: performance improvement in create/update of policies ref…
3440799 
…erencing large number of users/groups/roles

Backport of d1589d629 to ranger-2.9.

Co-authored-by: Cursor <cursoragent@cursor.com>
@cursoragent
RANGER-3899: fix TestServiceDBStore; omit JUnit5 TestPolicyRefUpdater…
75d2629 
… on ranger-2.9

Update tess28updatePolicy mock for createNewPolMappingForRefTable(..., true).
Remove TestPolicyRefUpdater (JUnit 5) since ranger-2.9 security-admin uses
Surefire 2.18.1; production backport does not require Surefire/JUnit5 changes.

Co-authored-by: Cursor <cursoragent@cursor.com>
@ramackri ramackri requested a review from mneethiraj May 25, 2026 03:51
@ramackri ramackri self-assigned this May 25, 2026
ramk and others added 2 commits May 25, 2026 09:56
@cursoragent
RANGER-3899: trim DAO diffs to functional-only changes on ranger-2.9
e7d3235 
Restore ranger-2.9 formatting and append only batch lookup/delete methods
from master (d1589d6), matching ~266 lines added instead of full-file
reformat churn.

Co-authored-by: Cursor <cursoragent@cursor.com>
@cursoragent
RANGER-3899: add TestPolicyRefUpdater using JUnit 4 on ranger-2.9
0b5ce85 
Restore policy ref updater unit tests adapted for batch DAO APIs and
5-arg createNewPolMappingForRefTable. Use JUnit 4 + MockitoJUnitRunner
so tests run under security-admin Surefire 2.18.1 without pom changes.

Co-authored-by: Cursor <cursoragent@cursor.com>
@ramackri
Copy link
Copy Markdown
Contributor Author

ramackri commented May 25, 2026

image

mneethiraj
mneethiraj reviewed May 25, 2026
View reviewed changes
Comment thread security-admin/src/main/resources/META-INF/jpa_named_queries.xml Outdated
@cursoragent
RANGER-3899: drop GDS and master-only JPA queries from 2.9 backport
2b3b9b6 
Align jpa_named_queries.xml with d1589d629: keep only the
13 named queries required for policy ref updater performance work.
Remove XXGds* (GDS), XXPolicy.findByServiceType, and other queries not
present on ranger-2.9. Restore XXRMSResourceMapping.deleteByServiceResourceIds.

Co-authored-by: Cursor <cursoragent@cursor.com>
@ramackri ramackri merged commit 4559d0a into ranger-2.9 May 26, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mneethiraj mneethiraj mneethiraj approved these changes

Assignees

@ramackri ramackri

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ramackri @mneethiraj