RANGER-4761: make lazy memory allocation for family map lazy instead …

…of ahead of time memory allocation for family map of type Map<String, Set<String>>. Removed ColumnFailyCache. Impact: Memory and computational benefit - Cache memory saved & huge reduction in memory when large number of columns accessed. Since ColumnFamilyCache is always a miss because of non deterministic access patterns and also a bug wherein address of byte array is used as key in cache, we get computational benefit by removing ColumnFamilyCache. Memory footprint will get reduced even further when enabling column auth optimization supported by RANGER-4670
apache · Mar 27, 2024 · 004330a · 004330a
1 parent 5981fb3
commit 004330a
Showing 1 changed file with 12 additions and 8 deletions.
diff --git a/...t/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/...t/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -323,10 +323,12 @@ ColumnFamilyAccessResult evaluateAccess(ObserverContext<?> ctx, String operation
 		String access = _authUtils.getAccess(action);
 		User user = getActiveUser(ctx);
 		String userName = _userUtils.getUserAsString(user);
+		Map<String, Set<String>> colFamiliesForDebugLoggingOnly = new HashMap<>();
 
 		if (LOG.isDebugEnabled()) {
+			colFamiliesForDebugLoggingOnly = getColumnFamilies(familyMap);
 			LOG.debug(String.format("evaluateAccess: entered: user[%s], Operation[%s], access[%s], families[%s]",
-					userName, operation, access, getColumnFamilies(familyMap).toString()));
+					userName, operation, access, colFamiliesForDebugLoggingOnly.toString()));
 		}
 
 		byte[] tableBytes = getTableName(env);
@@ -383,7 +385,7 @@ ColumnFamilyAccessResult evaluateAccess(ObserverContext<?> ctx, String operation
 						authorized ? Collections.singletonList(event) : null,
 						null, authorized ? null : event, reason, null);
 			if (LOG.isDebugEnabled()) {
-				String message = String.format(messageTemplate, userName, operation, access, families.toString(), result.toString());
+				String message = String.format(messageTemplate, userName, operation, access, colFamiliesForDebugLoggingOnly.toString(), result.toString());
 				LOG.debug(message);
 			}
 			return result;
@@ -407,13 +409,13 @@ ColumnFamilyAccessResult evaluateAccess(ObserverContext<?> ctx, String operation
 		Set<String> familesAccessDenied = new HashSet<String>();
 		Set<String> familesAccessIndeterminate = new HashSet<String>();
 
-		for (Map.Entry<String, Set<String>> anEntry : families.entrySet()) {
-			String family = anEntry.getKey();
+		for (Map.Entry<byte[], ? extends Collection<?>> anEntry : familyMap.entrySet()) {
+			String family = Bytes.toString(anEntry.getKey());
 			session.columnFamily(family);
 			if (LOG.isDebugEnabled()) {
 				LOG.debug("evaluateAccess: Processing family: " + family);
 			}
-			Set<String> columns = anEntry.getValue();
+			Collection<?> columns = anEntry.getValue();
 			if (columns == null || columns.isEmpty()) {
 				LOG.debug("evaluateAccess: columns collection null or empty, ok.  Family level access is desired.");
 
@@ -488,8 +490,10 @@ ColumnFamilyAccessResult evaluateAccess(ObserverContext<?> ctx, String operation
 			} else {
 				LOG.debug("evaluateAccess: columns collection not empty.  Skipping Family level check, will do finer level access check.");
 				Set<String> accessibleColumns = new HashSet<String>(); // will be used in to populate our results cache for the filter
- 				for (String column : columns) {
- 					if (LOG.isDebugEnabled()) {
+				Iterator<String> columnIterator = new ColumnIterator(columns);
+				while (columnIterator.hasNext()) {
+					String column = columnIterator.next();
+					 if (LOG.isDebugEnabled()) {
  						LOG.debug("evaluateAccess: Processing column: " + column);
  					}
  					session.column(column)
@@ -529,7 +533,7 @@ ColumnFamilyAccessResult evaluateAccess(ObserverContext<?> ctx, String operation
 		RangerAuthorizationFilter filter = new RangerAuthorizationFilter(session, familesAccessAllowed, familesAccessDenied, familesAccessIndeterminate, columnsAccessAllowed);
 		result = new ColumnFamilyAccessResult(everythingIsAccessible, somethingIsAccessible, authorizedEvents, familyLevelAccessEvents, deniedEvent, denialReason, filter);
 		if (LOG.isDebugEnabled()) {
-			String message = String.format(messageTemplate, userName, operation, access, families.toString(), result.toString());
+			String message = String.format(messageTemplate, userName, operation, access, colFamiliesForDebugLoggingOnly.toString(), result.toString());
 			LOG.debug(message);
 		}
 		return result;