Skip to content

RANGER-3899: performance improvement for policies with many users/groups/roles (ranger-2.9)#970

Open
ramackri wants to merge 4 commits into
ranger-2.9from
RANGER-3899-patch-release
Open

RANGER-3899: performance improvement for policies with many users/groups/roles (ranger-2.9)#970
ramackri wants to merge 4 commits into
ranger-2.9from
RANGER-3899-patch-release

Conversation

@ramackri
Copy link
Copy Markdown
Contributor

@ramackri ramackri commented May 25, 2026
edited
Loading

What changes were proposed in this pull request?

Backport of apache/ranger@d1589d629 (RANGER-3899) to ranger-2.9:

  • Batch ID lookups in policy ref DAOs / named queries
  • PolicyRefUpdater optimizations and ServiceDBStore update-path changes
  • JaCoCo fix in dev-support/checks/coverage.sh

Follow-up on this branch: fix TestServiceDBStore.tess28updatePolicy for the new ref-table API; omit TestPolicyRefUpdater (JUnit 5) because ranger-2.9 security-admin still uses Surefire 2.18.1 — no Surefire/JUnit5 pom change for this release backport.

How was this patch tested?

  • mvn -pl security-admin test -Dtest=TestServiceDBStore (47 tests, pass)
  • mvn -pl security-admin pmd:check (pass)

Summary

Manual smoke verification of policy test123 (policy ID 48) on the dev_hive service after local Docker deployment. Focus: users/groups/roles on policy edit and consistency between REST API and x_policy_ref_* tables (policy ref updater path).

Test environment

Item Value
Ranger Admin http://localhost:6080
Build Local Docker (Postgres + Admin only)
Service HIVE — dev_hive (service ID 5)
Policy test123 (policy ID 48)
Edit URL http://localhost:6080/index.html#/service/5/policies/48/edit
DB Postgres (ranger-postgres)

Verification performed

Infrastructure

Check Result
Ranger Admin reachable ✅ HTTP 200 on login page
Admin UI / REST API ✅ Authenticated successfully

Policy 48 — REST API (GET /service/public/v2/api/policy/48)

Check Result
Policy name test123
Service dev_hive
Allow policy items 1
Users (7) ramk, admin, keyadmin, knox, hbase, hdfs, rangertagsync
Groups (5) TestGroup1TestGroup5
Roles (4) TestRole1, TestRole3, TestRole4, TestRole5

Database — x_policy_ref_* (policy_id = 48)

Table Result
x_policy_ref_user ✅ Same 7 users as API
x_policy_ref_group ✅ Same 5 groups as API
x_policy_ref_role ✅ Same 4 roles as API

Conclusion: Persisted policy state is consistent between REST API and ref tables on read — good signal for the ref-updater persistence path.

Manually tested In the local Docker setup

  • UI: incremental add user / group / role → Save → reopen policy
  • UI: incremental remove one principal → Save → reopen
  • UI: Deny and Allow exception rows with principals

How to reproduce

# Policy via REST (replace credentials as needed)
curl -s -u admin:'<password>' \
  'http://localhost:6080/service/public/v2/api/policy/48' | jq '.name, .service, .policyItems'

# Ref tables
docker exec ranger-postgres psql -U postgres -d ranger -c \
  "SELECT user_name FROM x_policy_ref_user WHERE policy_id=48 ORDER BY 1;"
docker exec ranger-postgres psql -U postgres -d ranger -c \
  "SELECT group_name FROM x_policy_ref_group WHERE policy_id=48 ORDER BY 1;"
docker exec ranger-postgres psql -U postgres -d ranger -c \
  "SELECT role_name FROM x_policy_ref_role WHERE policy_id=48 ORDER BY 1;"

ramk and others added 2 commits May 25, 2026 08:22
@cursoragent
RANGER-3899: performance improvement in create/update of policies ref…
3440799 
…erencing large number of users/groups/roles

Backport of d1589d629 to ranger-2.9.

Co-authored-by: Cursor <cursoragent@cursor.com>
@cursoragent
RANGER-3899: fix TestServiceDBStore; omit JUnit5 TestPolicyRefUpdater…
75d2629 
… on ranger-2.9

Update tess28updatePolicy mock for createNewPolMappingForRefTable(..., true).
Remove TestPolicyRefUpdater (JUnit 5) since ranger-2.9 security-admin uses
Surefire 2.18.1; production backport does not require Surefire/JUnit5 changes.

Co-authored-by: Cursor <cursoragent@cursor.com>
@ramackri ramackri requested a review from mneethiraj May 25, 2026 03:51
@ramackri ramackri self-assigned this May 25, 2026
ramk and others added 2 commits May 25, 2026 09:56
@cursoragent
RANGER-3899: trim DAO diffs to functional-only changes on ranger-2.9
e7d3235 
Restore ranger-2.9 formatting and append only batch lookup/delete methods
from master (d1589d6), matching ~266 lines added instead of full-file
reformat churn.

Co-authored-by: Cursor <cursoragent@cursor.com>
@cursoragent
RANGER-3899: add TestPolicyRefUpdater using JUnit 4 on ranger-2.9
0b5ce85 
Restore policy ref updater unit tests adapted for batch DAO APIs and
5-arg createNewPolMappingForRefTable. Use JUnit 4 + MockitoJUnitRunner
so tests run under security-admin Surefire 2.18.1 without pom changes.

Co-authored-by: Cursor <cursoragent@cursor.com>
@ramackri
Copy link
Copy Markdown
Contributor Author

ramackri commented May 25, 2026

image

mneethiraj
mneethiraj reviewed May 25, 2026
View reviewed changes
Comment thread security-admin/src/main/resources/META-INF/jpa_named_queries.xml
<query>SELECT count(obj.id) FROM XXPolicy obj where obj.zoneId IS NOT NULL AND obj.zoneId != :zoneId</query>
</named-query>

<named-query name="XXGdsDataset.findByGuid">
Copy link
Copy Markdown
Contributor

@mneethiraj mneethiraj May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

XXGdsDataset is part of GDS feature which is in master branch but not in ranger-2.9 branch. Please review and remove updates that aren't relevant to RANGER-3899.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mneethiraj mneethiraj mneethiraj left review comments

Assignees

@ramackri ramackri

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ramackri @mneethiraj