RANGER-5614 : Performance improvement for role create/update with many users, groups, and sub-roles

agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java

@@ -28,9 +28,9 @@
 public interface RoleStore {
     void init() throws Exception;
 
-    RangerRole createRole(RangerRole role, Boolean createNonExistUserGroup) throws Exception;
+    RangerRole createRole(RangerRole role, Boolean createNonExistUserGroup, Boolean isRefTableCleanupRequired) throws Exception;
 
-    RangerRole updateRole(RangerRole role, Boolean createNonExistUserGroup) throws Exception;
+    RangerRole updateRole(RangerRole role, Boolean createNonExistUserGroup, Boolean isRefTableCleanupRequired) throws Exception;
 
     void deleteRole(String roleName) throws Exception;
 

security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java

@@ -210,6 +210,9 @@ public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy
             createPrincipalsIfAbsent = false;
         }
 
+        final boolean policyExists = xPolicy != null && xPolicy.getId() != null
+                && daoMgr.getXXPolicy().getById(xPolicy.getId()) != null;
+
         if (CollectionUtils.isNotEmpty(roleNames)) {
             LOG.debug("x_policy_ref_role - New role entries to insert for policy ID {}: {}", policyId, roleNames);
 
@@ -222,7 +225,7 @@ public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy
 
             for (String roleName : filteredRoleNames) {
                 Long                 roleId     = nameToId.get(roleName);
-                PolicyRoleAssociator associator = new PolicyRoleAssociator(roleName, roleId, xPolicy);
+                PolicyRoleAssociator associator = new PolicyRoleAssociator(roleName, roleId, xPolicy, policyExists);
 
                 if (roleId != null) {
                     XXPolicyRefRole roleRef = associator.getPolicyRef();
@@ -257,7 +260,7 @@ public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy
 
             for (String groupName : filteredGroupNames) {
                 Long                  groupId    = nameToId.get(groupName);
-                PolicyGroupAssociator associator = new PolicyGroupAssociator(groupName, groupId, xPolicy);
+                PolicyGroupAssociator associator = new PolicyGroupAssociator(groupName, groupId, xPolicy, policyExists);
 
                 if (groupId != null) {
                     XXPolicyRefGroup groupRef = associator.getPolicyRef();
@@ -292,7 +295,7 @@ public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy
 
             for (String userName : filteredUserNames) {
                 Long                 userId     = nameToId.get(userName);
-                PolicyUserAssociator associator = new PolicyUserAssociator(userName, userId, xPolicy);
+                PolicyUserAssociator associator = new PolicyUserAssociator(userName, userId, xPolicy, policyExists);
 
                 if (userId != null) {
                     XXPolicyRefUser userRef = associator.getPolicyRef();
@@ -551,25 +554,23 @@ public void cleanupPolicyRefGroups(Set<String> policyGroups, Long policyId, XXPo
 
     public enum PRINCIPAL_TYPE { USER, GROUP, ROLE }
 
-    private boolean doesPolicyExist(XXPolicy policy) {
-        return daoMgr.getXXPolicy().getById(policy.getId()) != null;
-    }
-
     private class PolicyRoleAssociator implements Runnable {
         private final String   name;
         private final Long     roleId;
         private final XXPolicy xPolicy;
+        private final boolean  policyExists;
 
-        PolicyRoleAssociator(String name, Long roleId, XXPolicy xPolicy) {
-            this.name    = name;
-            this.roleId  = roleId;
-            this.xPolicy = xPolicy;
+        PolicyRoleAssociator(String name, Long roleId, XXPolicy xPolicy, boolean policyExists) {
+            this.name         = name;
+            this.roleId       = roleId;
+            this.xPolicy      = xPolicy;
+            this.policyExists = policyExists;
         }
 
         public XXPolicyRefRole getPolicyRef() {
             Long id = resolveRoleId(false);
 
-            if (id != null && doesPolicyExist(xPolicy)) {
+            if (id != null && policyExists) {
                 XXPolicyRefRole xPolRole = new XXPolicyRefRole();
 
                 xPolRole.setPolicyId(xPolicy.getId());
@@ -583,7 +584,7 @@ public XXPolicyRefRole getPolicyRef() {
         }
 
         public void createPolicyRef(Long id) {
-            if (doesPolicyExist(xPolicy)) {
+            if (policyExists) {
                 XXPolicyRefRole xPolRole = new XXPolicyRefRole();
 
                 xPolRole.setPolicyId(xPolicy.getId());
@@ -632,7 +633,7 @@ private Long createRole() {
 
             try {
                 RangerRole rRole       = new RangerRole(name, null, null, null, null);
-                RangerRole createdRole = roleStore.createRole(rRole, false);
+                RangerRole createdRole = roleStore.createRole(rRole, false, false);
 
                 return createdRole.getId();
             } catch (Exception e) {
@@ -645,17 +646,19 @@ private class PolicyGroupAssociator implements Runnable {
         private final String   name;
         private final Long     groupId;
         private final XXPolicy xPolicy;
+        private final boolean  policyExists;
 
-        PolicyGroupAssociator(String name, Long groupId, XXPolicy xPolicy) {
-            this.name     = name;
-            this.groupId  = groupId;
-            this.xPolicy  = xPolicy;
+        PolicyGroupAssociator(String name, Long groupId, XXPolicy xPolicy, boolean policyExists) {
+            this.name         = name;
+            this.groupId      = groupId;
+            this.xPolicy      = xPolicy;
+            this.policyExists = policyExists;
         }
 
         public XXPolicyRefGroup getPolicyRef() {
             Long id = resolveGroupId(false);
 
-            if (id != null && doesPolicyExist(xPolicy)) {
+            if (id != null && policyExists) {
                 XXPolicyRefGroup xPolGroup = new XXPolicyRefGroup();
 
                 xPolGroup.setPolicyId(xPolicy.getId());
@@ -669,7 +672,7 @@ public XXPolicyRefGroup getPolicyRef() {
         }
 
         public void createPolicyRef(Long id) {
-            if (doesPolicyExist(xPolicy)) {
+            if (policyExists) {
                 XXPolicyRefGroup xPolGroup = new XXPolicyRefGroup();
 
                 xPolGroup.setPolicyId(xPolicy.getId());
@@ -736,17 +739,19 @@ private class PolicyUserAssociator implements Runnable {
         private final String   name;
         private final Long     userId;
         private final XXPolicy xPolicy;
+        private final boolean  policyExists;
 
-        PolicyUserAssociator(String name, Long userId, XXPolicy xPolicy) {
-            this.name    = name;
-            this.userId  = userId;
-            this.xPolicy = xPolicy;
+        PolicyUserAssociator(String name, Long userId, XXPolicy xPolicy, boolean policyExists) {
+            this.name         = name;
+            this.userId       = userId;
+            this.xPolicy      = xPolicy;
+            this.policyExists = policyExists;
         }
 
         public XXPolicyRefUser getPolicyRef() {
             Long id = resolveUserId(false);
 
-            if (id != null && doesPolicyExist(xPolicy)) {
+            if (id != null && policyExists) {
                 XXPolicyRefUser xPolUser = new XXPolicyRefUser();
 
                 xPolUser.setPolicyId(xPolicy.getId());
@@ -760,7 +765,7 @@ public XXPolicyRefUser getPolicyRef() {
         }
 
         public void createPolicyRef(Long id) {
-            if (doesPolicyExist(xPolicy)) {
+            if (policyExists) {
                 XXPolicyRefUser xPolUser = new XXPolicyRefUser();
 
                 xPolUser.setPolicyId(xPolicy.getId());

security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java

@@ -95,7 +95,7 @@ public class RoleDBStore implements RoleStore {
     public void init() throws Exception {}
 
     @Override
-    public RangerRole createRole(RangerRole role, Boolean createNonExistUserGroupRole) throws Exception {
+    public RangerRole createRole(RangerRole role, Boolean createNonExistUserGroupRole, Boolean isRefTableCleanupRequired) throws Exception {
         LOG.debug("==> RoleDBStore.createRole()");
 
         XXRole xxRole = daoMgr.getXXRole().findByRoleName(role.getName());
@@ -115,15 +115,15 @@ public RangerRole createRole(RangerRole role, Boolean createNonExistUserGroupRol
             throw new Exception("Cannot create role:[" + role + "]");
         }
 
-        roleRefUpdater.createNewRoleMappingForRefTable(createdRole, createNonExistUserGroupRole);
+        roleRefUpdater.createNewRoleMappingForRefTable(createdRole, createNonExistUserGroupRole, isRefTableCleanupRequired);
 
         roleService.createTransactionLog(createdRole, null, RangerBaseModelService.OPERATION_CREATE_CONTEXT);
 
         return createdRole;
     }
 
     @Override
-    public RangerRole updateRole(RangerRole role, Boolean createNonExistUserGroupRole) throws Exception {
+    public RangerRole updateRole(RangerRole role, Boolean createNonExistUserGroupRole, Boolean isRefTableCleanupRequired) throws Exception {
         XXRole xxRole = daoMgr.getXXRole().findByRoleId(role.getId());
 
         if (xxRole == null) {
@@ -150,7 +150,7 @@ public RangerRole updateRole(RangerRole role, Boolean createNonExistUserGroupRol
             throw new Exception("Cannot update role:[" + role + "]");
         }
 
-        roleRefUpdater.createNewRoleMappingForRefTable(updatedRole, createNonExistUserGroupRole);
+        roleRefUpdater.createNewRoleMappingForRefTable(updatedRole, createNonExistUserGroupRole, isRefTableCleanupRequired);
 
         roleService.updatePolicyVersions(updatedRole.getId());