[ https://issues.apache.org/jira/browse/RANGER-3472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17428687#comment-17428687 ]
Madhan Neethiraj commented on RANGER-3472: ------------------------------------------ [~Xuze Yang] - thank you for reporting this issue. Enforcing a single policy for a given resource-set would require DB schema update, to apply unique-key constraint on column x_policy.resource_signature. This is essential since multiple instances of Ranger admin can connect to the same DB schema (to provide HA). However Ranger allows multiple policies to exist for same resource-set - as long as only one these policies are in enabled state. This would not be possible if 'x_policy.resource_signature' has unique-key constraint. Addressing this requirement would require more involved solution. You might consider the following option: if your environment doesn't require disabled and enabled policies to exist for same resource-set, you can apply above mentioned DB constraint. > The createPolicy() method is not thread safe. In another word, we can create > policies with same resources when creating policies concurrently > --------------------------------------------------------------------------------------------------------------------------------------------- > > Key: RANGER-3472 > URL: https://issues.apache.org/jira/browse/RANGER-3472 > Project: Ranger > Issue Type: Bug > Components: Ranger > Affects Versions: 2.1.0 > Reporter: Xuze Yang > Priority: Major > > In our production environment, we happen to find that two policies exist with > the same resources.In this case, when we want to modify either policy, ranger > doesn't allow this operation and throws message like "*Error Code : 3010 > Another policy already exists for matching resource: policy-name=[hhh9], > service=[default-Hdfs]*". > I go through the source code about create policy, find that the > createPolicy() in class ServiceREST is not thread safe. When we create > policies concurrently, we may create several policies with the same resources. -- This message was sent by Atlassian Jira (v8.3.4#803005)