[jira] [Commented] (RANGER-3472) The createPolicy() method is not thread safe. In another word, we can create policies with same resources when creating policies concurrently

Thu, 14 Oct 2021 01:28:07 -0700 


    [ 
https://issues.apache.org/jira/browse/RANGER-3472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17428687#comment-17428687
 ] 

Madhan Neethiraj commented on RANGER-3472:
------------------------------------------

[~Xuze Yang]  - thank you for reporting this issue. Enforcing a single policy 
for a given resource-set would require DB schema update, to apply unique-key 
constraint on column x_policy.resource_signature. This is essential since 
multiple instances of Ranger admin can connect to the same DB schema (to 
provide HA). However Ranger allows multiple policies to exist for same 
resource-set - as long as only one these policies are in enabled state. This 
would not be possible if 'x_policy.resource_signature' has unique-key 
constraint. Addressing this requirement would require more involved solution. 

You might consider the following option: if your environment doesn't require 
disabled and enabled policies to exist for same resource-set, you can apply 
above mentioned DB constraint.

 

> The createPolicy() method is not thread safe. In another word, we can create 
> policies with same resources when creating policies concurrently
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-3472
>                 URL: https://issues.apache.org/jira/browse/RANGER-3472
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 2.1.0
>            Reporter: Xuze Yang
>            Priority: Major
>
> In our production environment, we happen to find that two policies exist with 
> the same resources.In this case, when we want to modify either policy, ranger 
> doesn't allow this operation and throws message like "*Error Code : 3010 
> Another policy already exists for matching resource: policy-name=[hhh9], 
> service=[default-Hdfs]*". 
> I go through the source code about create policy, find that the 
> createPolicy() in class ServiceREST is not thread safe. When we create 
> policies concurrently, we may create several policies with the same resources.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to