[
https://issues.apache.org/jira/browse/RANGER-3472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17429083#comment-17429083
]
Xuze Yang edited comment on RANGER-3472 at 10/15/21, 2:12 AM:
--------------------------------------------------------------
[~madhan], thanks for your suggestion. All we've been talking about is applying
unique-key constraint on columns. I am now wondering whether it is feasible to
add lock on the code. I think one of the roughest possible ways is as follows:
{code:java}
synchronized(this){
RangerPolicyValidator validator =
validatorFactory.getPolicyValidator(svcStore);
validator.validate(policy, Action.CREATE, bizUtil.isAdmin());
ensureAdminAccess(policy);
bizUtil.blockAuditorRoleUser();
ret = svcStore.createPolicy(policy);
}
{code}
The above code is a fragment of the createPolicy() in ServiceREST class. Of
course, this lock is too coarse-grained, we need to make the lock fine-grained.
For example, we should allow concurrently creating policies in differrent
services, etc. Do you think add locking on createPolicy is a feasible way?
Looking forward to your reply.
was (Author: xuze yang):
[~madhan], thanks for your suggestion. All we've been talking about is applying
unique-key constraint on columns. I am now wondering whether it is feasible to
add lock on the code. I think one of the roughest possible ways is as follows:
{code:java}
synchronized(this){
RangerPolicyValidator validator =
validatorFactory.getPolicyValidator(svcStore);
validator.validate(policy, Action.CREATE, bizUtil.isAdmin());
ensureAdminAccess(policy);
bizUtil.blockAuditorRoleUser();
ret = svcStore.createPolicy(policy);
}
{code}
The above code is a fragment of the createPolicy() in ServiceREST class. Of
course, this lock is too coarse-grained, we need to make the lock fine-grained.
For example, we should allow concurrently creating policies in differrent
services. Do you think add locking on createPolicy is a feasible way? Looking
forward to your reply.
> The createPolicy() method is not thread safe. In another word, we can create
> policies with same resources when creating policies concurrently
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-3472
> URL: https://issues.apache.org/jira/browse/RANGER-3472
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: 2.1.0
> Reporter: Xuze Yang
> Priority: Major
>
> In our production environment, we happen to find that two policies exist with
> the same resources.In this case, when we want to modify either policy, ranger
> doesn't allow this operation and throws message like "*Error Code : 3010
> Another policy already exists for matching resource: policy-name=[hhh9],
> service=[default-Hdfs]*".
> I go through the source code about create policy, find that the
> createPolicy() in class ServiceREST is not thread safe. When we create
> policies concurrently, we may create several policies with the same resources.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
