You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Xuze Yang (Jira)" <ji...@apache.org> on 2021/10/15 02:13:00 UTC
[jira] [Comment Edited] (RANGER-3472) The createPolicy() method is
not thread safe. In another word, we can create policies with same
resources when creating policies concurrently
[ https://issues.apache.org/jira/browse/RANGER-3472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17429083#comment-17429083 ]
Xuze Yang edited comment on RANGER-3472 at 10/15/21, 2:12 AM:
--------------------------------------------------------------
[~madhan], thanks for your suggestion. All we've been talking about is applying unique-key constraint on columns. I am now wondering whether it is feasible to add lock on the code. I think one of the roughest possible ways is as follows:
{code:java}
synchronized(this){
RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore);
validator.validate(policy, Action.CREATE, bizUtil.isAdmin());
ensureAdminAccess(policy);
bizUtil.blockAuditorRoleUser();
ret = svcStore.createPolicy(policy);
}
{code}
The above code is a fragment of the createPolicy() in ServiceREST class. Of course, this lock is too coarse-grained, we need to make the lock fine-grained. For example, we should allow concurrently creating policies in differrent services, etc. Do you think add locking on createPolicy is a feasible way? Looking forward to your reply.
was (Author: xuze yang):
[~madhan], thanks for your suggestion. All we've been talking about is applying unique-key constraint on columns. I am now wondering whether it is feasible to add lock on the code. I think one of the roughest possible ways is as follows:
{code:java}
synchronized(this){
RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore);
validator.validate(policy, Action.CREATE, bizUtil.isAdmin());
ensureAdminAccess(policy);
bizUtil.blockAuditorRoleUser();
ret = svcStore.createPolicy(policy);
}
{code}
The above code is a fragment of the createPolicy() in ServiceREST class. Of course, this lock is too coarse-grained, we need to make the lock fine-grained. For example, we should allow concurrently creating policies in differrent services. Do you think add locking on createPolicy is a feasible way? Looking forward to your reply.
> The createPolicy() method is not thread safe. In another word, we can create policies with same resources when creating policies concurrently
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-3472
> URL: https://issues.apache.org/jira/browse/RANGER-3472
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: 2.1.0
> Reporter: Xuze Yang
> Priority: Major
>
> In our production environment, we happen to find that two policies exist with the same resources.In this case, when we want to modify either policy, ranger doesn't allow this operation and throws message like "*Error Code : 3010 Another policy already exists for matching resource: policy-name=[hhh9], service=[default-Hdfs]*".
> I go through the source code about create policy, find that the createPolicy() in class ServiceREST is not thread safe. When we create policies concurrently, we may create several policies with the same resources.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)