kirby zhou created RANGER-4106:
----------------------------------

             Summary: NullPtr Exception when REST API 
/service/roles/secure/download/  is not allowed to user.
                 Key: RANGER-4106
                 URL: https://issues.apache.org/jira/browse/RANGER-4106
             Project: Ranger
          Issue Type: Bug
          Components: admin
    Affects Versions: 2.3.0, 3.0.0, 2.4.0
            Reporter: kirby zhou


I have see a lot of exceptions in log catalina.out like that:

 
{code:java}
Feb 23, 2023 7:17:21 AM com.sun.jersey.spi.container.ContainerResponse 
mapMappableContainerException
SEVERE: The RuntimeException could not be mapped to a response, re-throwing to 
the HTTP container
java.lang.NullPointerException
        at 
org.apache.ranger.biz.AssetMgr.doCreateOrUpdateXXPluginInfo(AssetMgr.java:831)
        at 
org.apache.ranger.biz.AssetMgr.createOrUpdatePluginInfo(AssetMgr.java:791)
        at org.apache.ranger.biz.AssetMgr.createPluginInfo(AssetMgr.java:728)
        at 
org.apache.ranger.rest.RoleREST.getSecureRangerRolesIfUpdated(RoleREST.java:874)
        at 
org.apache.ranger.rest.RoleREST$$FastClassBySpringCGLIB$$d1176b81.invoke(<generated>)
...

{code}
 

 

Using debugger to trace the code.

It caused by 

 
{code:java}
// AssertMgr.java doCreateOrUpdateXXPluginInfo()
// which get a null value of RoleDownloadedVersion, raise exception.

831:   if (pluginInfo.getRoleDownloadTime() != null && 
pluginInfo.getRoleDownloadedVersion().equals(pluginInfo.getRoleActiveVersion())

// called by createOrUpdatePluginInfo() in AssertMgr.java 
...
// called by createPluginInfo() in AssetMgr.java
// which will set RoleDownloadTime to non-null, regardless of the value of 
RoleDownloadedVersion/downloadedVersion.

    case RangerPluginInfo.ENTITY_TYPE_ROLES:
      pluginSvcVersionInfo.setRoleActiveVersion(lastKnownVersion);
      pluginSvcVersionInfo.setRoleActivationTime(lastActivationTime);
      pluginSvcVersionInfo.setRoleDownloadedVersion(downloadedVersion);
      pluginSvcVersionInfo.setRoleDownloadTime(new Date().getTime());
      break;
   case RangerPluginInfo.ENTITY_TYPE_USERSTORE:
      pluginSvcVersionInfo.setUserStoreActiveVersion(lastKnownVersion);
      pluginSvcVersionInfo.setUserStoreActivationTime(lastActivationTime);
      pluginSvcVersionInfo.setUserStoreDownloadedVersion(downloadedVersion);
      pluginSvcVersionInfo.setUserStoreDownloadTime(new Date().getTime());
      break;
}

createOrUpdatePluginInfo(pluginSvcVersionInfo, entityType , httpCode, 
clusterName);

// called by getSecureRangerRolesIfUpdated() in RoleRest.java
// which will not set downloadedVersion when isAllowed = false.

Long    downloadedVersion = null;
...
if (isValid) {
    try {
        ...
        if (isAllowed) {
            RangerRoles roles = roleStore.getRoles(serviceName, 
lastKnownRoleVersion);
            if (roles == null) {
                downloadedVersion = lastKnownRoleVersion;
            } else {
                downloadedVersion = roles.getRoleVersion();
            }
        } else {
            httpCode = HttpServletResponse.SC_FORBIDDEN; // assert user is 
authenticated.
        }
    } catch (Throwable excp) {
    }
}

assetMgr.createPluginInfo(serviceName, pluginId, request, 
RangerPluginInfo.ENTITY_TYPE_ROLES, downloadedVersion, lastKnownRoleVersion, 
lastActivationTime, httpCode, clusterName, pluginCapabilities);


{code}
 

The simplest method is to modify AssertMgr.java to that, this is the behavior 
tag and policy 
{code:java}
if (pluginInfo.getRoleDownloadedVersion() != null && 
pluginInfo.getRoleDownloadedVersion().equals(pluginInfo.getRoleActiveVersion()))
 {
 {code}
Btw: the case of UserStore seems have the same bug.
{code:java}
} else {
   if (pluginInfo.getUserStoreDownloadTime() != null && 
pluginInfo.getUserStoreDownloadedVersion().equals(pluginInfo.getUserStoreActiveVersion()))
 {
      // This is our best guess of when users and groups may have been 
downloaded
      
pluginInfo.setUserStoreDownloadTime(pluginInfo.getUserStoreActivationTime());
   }
}
 {code}
 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to