[
https://issues.apache.org/jira/browse/RANGER-5403?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Xuze Yang updated RANGER-5403:
------------------------------
Description:
HDFS plugin may intermittently return incorrect authorization results when
evaluating path-based policies.
This issue occurs under concurrent access due to unsafe lazy initialization
inside RangerPathResourceMatcher$CaseSensitiveRecursiveMatcher.
Symptoms
•Sporadic access denied errors for valid HDFS paths
•The issue appears shortly after policy refresh
Root Cause
valueWithoutSeparator and valueWithSeparator are lazily initialized inside
isMatch() without proper synchronization or safe publication.
For example:
1.Request R1 starts initializing only valueWithoutSeparator
2.Before R1 assigns valueWithSeparator, Request R2 skips initialization
(because valueWithoutSeparator != null)
3.R2 reads valueWithSeparator == null
4.startsWith() check fails → false negative authorization
This has been reproduced in stress tests of HDFS authorization in our
environment.
was:
HDFS plugin may intermittently return incorrect authorization results when
evaluating path-based policies.
This issue occurs under concurrent access due to unsafe lazy initialization
inside RangerPathResourceMatcher$CaseSensitiveRecursiveMatcher.
Symptoms
•Sporadic access denied errors for valid HDFS paths
•The issue appears shortly after policy refresh
Root Cause
valueWithoutSeparator and valueWithSeparator are lazily initialized inside
isMatch() without proper synchronization or safe publication.
For example:
1.Request R1 starts initializing only valueWithoutSeparator
2.Before R1 assigns valueWithSeparator, Request R2 skips initialization
(because valueWithoutSeparator != null)
3.R2 reads valueWithSeparator == null
4.startsWith() check fails → false negative authorization
This has been reproduced in stress tests of HDFS authorization.
> Intermittent HDFS authorization failures caused by unsafe lazy initialization
> in CaseSensitiveRecursiveMatcher
> --------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-5403
> URL: https://issues.apache.org/jira/browse/RANGER-5403
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 2.1.0
> Reporter: Xuze Yang
> Priority: Major
>
> HDFS plugin may intermittently return incorrect authorization results when
> evaluating path-based policies.
> This issue occurs under concurrent access due to unsafe lazy initialization
> inside RangerPathResourceMatcher$CaseSensitiveRecursiveMatcher.
>
> Symptoms
> •Sporadic access denied errors for valid HDFS paths
> •The issue appears shortly after policy refresh
>
> Root Cause
>
> valueWithoutSeparator and valueWithSeparator are lazily initialized inside
> isMatch() without proper synchronization or safe publication.
>
> For example:
> 1.Request R1 starts initializing only valueWithoutSeparator
> 2.Before R1 assigns valueWithSeparator, Request R2 skips initialization
> (because valueWithoutSeparator != null)
> 3.R2 reads valueWithSeparator == null
> 4.startsWith() check fails → false negative authorization
>
> This has been reproduced in stress tests of HDFS authorization in our
> environment.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
