Alex Stiff created RANGER-3726:
----------------------------------
Summary: Auditor role causes usersync and login to gradually slow
down
Key: RANGER-3726
URL: https://issues.apache.org/jira/browse/RANGER-3726
Project: Ranger
Issue Type: Bug
Components: audit, usersync
Affects Versions: 1.2.0
Reporter: Alex Stiff
When configuring a user with a group based role assignment to the
ROLE_ADMIN_AUDITOR role, running the usersync process causes a malformed user
permission to be assigned to that user. Each time usersync is run this adds
more user permissions, until eventually there are enough that the usersync and
login processes take several minutes to complete.
*Configuration*
I have this configured in ranger-ugsync-site.xml:
{code:java}
<property>
<name>ranger.usersync.group.based.role.assignment.rules</name>
<value>ROLE_ADMIN_AUDITOR:u:myusername</value>
</property>{code}
And the usersync process is being invoked with:
{code:java}
/usr/bin/java -Dproc_rangerusersync
-Dlog4j.configuration=file:/etc/ranger/conf/log4j.properties
-XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx1g -Xms1g -Duser=ranger
-Dhostname=<redacted> -Dlogdir=/var/log/ranger/usersync -cp
/usr/local/ranger-usersync/dist/*:/usr/local/ranger-usersync/lib/*:/usr/local/ranger-usersync/conf:
org.apache.ranger.authentication.UnixAuthenticationService -enableUnixAuth
{code}
*Observations*
Upon the usersync process restarting, the x_user_module_perm table in the
ranger database has new rows added to it. These all have "module_id" set to
[null]. These rows are never removed or updated. During login, this causes the
call to /service/users/profile to take longer and longer. In production, 15,000
rows in this table for a single user caused the login to take 2.5 minutes.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
