[jira] [Assigned] (RANGER-5403) Intermittent HDFS authorization failures caused by unsafe lazy initialization in CaseSensitiveRecursiveMatcher

[Xuze Yang (Jira)]

     [ 
https://issues.apache.org/jira/browse/RANGER-5403?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Xuze Yang reassigned RANGER-5403:
---------------------------------

    Assignee: Xuze Yang

> Intermittent HDFS authorization failures caused by unsafe lazy initialization 
> in CaseSensitiveRecursiveMatcher
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-5403
>                 URL: https://issues.apache.org/jira/browse/RANGER-5403
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 2.1.0
>            Reporter: Xuze Yang
>            Assignee: Xuze Yang
>            Priority: Major
>
> HDFS plugin may intermittently return incorrect authorization results when 
> evaluating path-based policies.
> This issue occurs under concurrent access due to unsafe lazy initialization 
> inside RangerPathResourceMatcher$CaseSensitiveRecursiveMatcher.
>  
> Symptoms
> •Sporadic access denied errors for valid HDFS paths
> •The issue appears shortly after policy refresh
>  
> Root Cause
>  
> valueWithoutSeparator and valueWithSeparator are lazily initialized inside 
> isMatch() without proper synchronization or safe publication.
>  
> For example:
> 1.Request R1 starts initializing only valueWithoutSeparator
> 2.Before R1 assigns valueWithSeparator, Request R2 skips initialization 
> (because valueWithoutSeparator != null)
> 3.R2 reads valueWithSeparator == null
> 4.startsWith() check fails → false negative authorization
>  
> This has been reproduced in stress tests of HDFS authorization in our 
> environment.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)