From 004330ab9c418a5c298c43ffd3d4479960e84fc2 Mon Sep 17 00:00:00 2001
From: "fateh288@gmail.com" <fateh288@gmail.com>
Date: Tue, 26 Mar 2024 18:25:40 -0700
Subject: [PATCH] RANGER-4761: make lazy memory allocation for family map lazy
 instead of ahead of time memory allocation for family map of type Map<String,
 Set<String>>. Removed ColumnFailyCache.

Impact: Memory and computational benefit - Cache memory saved & huge reduction in memory when large number of columns accessed. Since ColumnFamilyCache is always a miss because of non deterministic access patterns and also a bug wherein address of byte array is used as key in cache, we get computational benefit by removing ColumnFamilyCache. Memory footprint will get reduced even further when enabling column auth optimization supported by RANGER-4670
---
 .../hbase/RangerAuthorizationCoprocessor.java | 20 +++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 281f3ec75c3..76330e8dd72 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -323,10 +323,12 @@ ColumnFamilyAccessResult evaluateAccess(ObserverContext<?> ctx, String operation
 		String access = _authUtils.getAccess(action);
 		User user = getActiveUser(ctx);
 		String userName = _userUtils.getUserAsString(user);
+		Map<String, Set<String>> colFamiliesForDebugLoggingOnly = new HashMap<>();
 
 		if (LOG.isDebugEnabled()) {
+			colFamiliesForDebugLoggingOnly = getColumnFamilies(familyMap);
 			LOG.debug(String.format("evaluateAccess: entered: user[%s], Operation[%s], access[%s], families[%s]",
-					userName, operation, access, getColumnFamilies(familyMap).toString()));
+					userName, operation, access, colFamiliesForDebugLoggingOnly.toString()));
 		}
 
 		byte[] tableBytes = getTableName(env);
@@ -383,7 +385,7 @@ ColumnFamilyAccessResult evaluateAccess(ObserverContext<?> ctx, String operation
 						authorized ? Collections.singletonList(event) : null,
 						null, authorized ? null : event, reason, null);
 			if (LOG.isDebugEnabled()) {
-				String message = String.format(messageTemplate, userName, operation, access, families.toString(), result.toString());
+				String message = String.format(messageTemplate, userName, operation, access, colFamiliesForDebugLoggingOnly.toString(), result.toString());
 				LOG.debug(message);
 			}
 			return result;
@@ -407,13 +409,13 @@ ColumnFamilyAccessResult evaluateAccess(ObserverContext<?> ctx, String operation
 		Set<String> familesAccessDenied = new HashSet<String>();
 		Set<String> familesAccessIndeterminate = new HashSet<String>();
 
-		for (Map.Entry<String, Set<String>> anEntry : families.entrySet()) {
-			String family = anEntry.getKey();
+		for (Map.Entry<byte[], ? extends Collection<?>> anEntry : familyMap.entrySet()) {
+			String family = Bytes.toString(anEntry.getKey());
 			session.columnFamily(family);
 			if (LOG.isDebugEnabled()) {
 				LOG.debug("evaluateAccess: Processing family: " + family);
 			}
-			Set<String> columns = anEntry.getValue();
+			Collection<?> columns = anEntry.getValue();
 			if (columns == null || columns.isEmpty()) {
 				LOG.debug("evaluateAccess: columns collection null or empty, ok.  Family level access is desired.");
 
@@ -488,8 +490,10 @@ ColumnFamilyAccessResult evaluateAccess(ObserverContext<?> ctx, String operation
 			} else {
 				LOG.debug("evaluateAccess: columns collection not empty.  Skipping Family level check, will do finer level access check.");
 				Set<String> accessibleColumns = new HashSet<String>(); // will be used in to populate our results cache for the filter
- 				for (String column : columns) {
- 					if (LOG.isDebugEnabled()) {
+				Iterator<String> columnIterator = new ColumnIterator(columns);
+				while (columnIterator.hasNext()) {
+					String column = columnIterator.next();
+					 if (LOG.isDebugEnabled()) {
  						LOG.debug("evaluateAccess: Processing column: " + column);
  					}
  					session.column(column)
@@ -529,7 +533,7 @@ ColumnFamilyAccessResult evaluateAccess(ObserverContext<?> ctx, String operation
 		RangerAuthorizationFilter filter = new RangerAuthorizationFilter(session, familesAccessAllowed, familesAccessDenied, familesAccessIndeterminate, columnsAccessAllowed);
 		result = new ColumnFamilyAccessResult(everythingIsAccessible, somethingIsAccessible, authorizedEvents, familyLevelAccessEvents, deniedEvent, denialReason, filter);
 		if (LOG.isDebugEnabled()) {
-			String message = String.format(messageTemplate, userName, operation, access, families.toString(), result.toString());
+			String message = String.format(messageTemplate, userName, operation, access, colFamiliesForDebugLoggingOnly.toString(), result.toString());
 			LOG.debug(message);
 		}
 		return result;