[jira] [Commented] (RANGER-3472) The createPolicy() method is not thread safe. In another word, we can create policies with same resources when creating policies concurrently

[Xuze Yang (Jira)]

    [ 
https://issues.apache.org/jira/browse/RANGER-3472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17428719#comment-17428719
 ] 

Xuze Yang commented on RANGER-3472:
-----------------------------------

[~madhan] , thank you for your reply. Compared to adding locks in create policy 
methods, I also think that apply unique-key constraint on column is a better 
implement way. You mentioned a solution above: apply unique-key constraint on 
column x_policy.resource_signature. As you mentioned above, this approach will 
have problems in the following scenarios: 
1. Create the same resource policy with status of disabled. 
2. Create the same resource policy under different services in the same 
warehouse.（eg：Two services named default-HDFS1 and default-HDFS2 can exist in 
HDFS warehouse. It's reasonable to create a policy in default-HDFS1 even if the 
same policy already been created in default-HDFS2 ）
3. Create the same resource policy under different zones. 
I think a better way is to apply unique-key constraint on four columns - 
'resource_signature', 'service', 'zone_id' and 'is_enabled', just like below 
statement:
{code:java}
UNIQUE KEY `x_policy_UK_resource_service_zone_enabled` 
(`resource_signature`,`service`, `zone_id`, `is_enabled`){code}
If we apply this unique-key constraint, above problems will be resolved(one 
problem still exist : We can only create a disabled state policy at most). Do 
you think this is a reasonable solution?

> The createPolicy() method is not thread safe. In another word, we can create 
> policies with same resources when creating policies concurrently
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-3472
>                 URL: https://issues.apache.org/jira/browse/RANGER-3472
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 2.1.0
>            Reporter: Xuze Yang
>            Priority: Major
>
> In our production environment, we happen to find that two policies exist with 
> the same resources.In this case, when we want to modify either policy, ranger 
> doesn't allow this operation and throws message like "*Error Code : 3010 
> Another policy already exists for matching resource: policy-name=[hhh9], 
> service=[default-Hdfs]*". 
> I go through the source code about create policy, find that the 
> createPolicy() in class ServiceREST is not thread safe. When we create 
> policies concurrently, we may create several policies with the same resources.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)