You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Pradeep Agrawal (Jira)" <ji...@apache.org> on 2021/11/29 09:54:00 UTC

[jira] [Commented] (RANGER-3472) The createPolicy() method is not thread safe. In another word, we can create policies with same resources when creating policies concurrently

    [ https://issues.apache.org/jira/browse/RANGER-3472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17450307#comment-17450307 ] 

Pradeep Agrawal commented on RANGER-3472:
-----------------------------------------

[~Xuze Yang]  : Ranger support load balancing and High availability which means Its possible to have multiple ranger-admin process running and connected to single ranger db. Ranger client modules can have comma separated multiple ranger admin host url in the configuration to post create policy requests. In this case create policy request may land on any ranger-admin host thus locking or synchronisation on code level will not work. 

*RANGER-3493* shall create the db constraint on the x_policy table columns (service and resource_signature). RANGER-3493 [changes|https://github.com/apache/ranger/commit/de8f5e197fb93fcb924f7a59a88013b99bd1194b] has been committed so you can try to reproduce the case again with the latest code and let us know here. I am resolving this issue, please reopen if required.

 

> The createPolicy() method is not thread safe. In another word, we can create policies with same resources when creating policies concurrently
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-3472
>                 URL: https://issues.apache.org/jira/browse/RANGER-3472
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 2.1.0
>            Reporter: Xuze Yang
>            Priority: Major
>
> In our production environment, we happen to find that two policies exist with the same resources.In this case, when we want to modify either policy, ranger doesn't allow this operation and throws message like "*Error Code : 3010 Another policy already exists for matching resource: policy-name=[hhh9], service=[default-Hdfs]*". 
> I go through the source code about create policy, find that the createPolicy() in class ServiceREST is not thread safe. When we create policies concurrently, we may create several policies with the same resources.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)