kirby zhou created RANGER-4106:
----------------------------------
Summary: NullPtr Exception when REST API
/service/roles/secure/download/ is not allowed to user.
Key: RANGER-4106
URL: https://issues.apache.org/jira/browse/RANGER-4106
Project: Ranger
Issue Type: Bug
Components: admin
Affects Versions: 2.3.0, 3.0.0, 2.4.0
Reporter: kirby zhou
I have see a lot of exceptions in log catalina.out like that:
{code:java}
Feb 23, 2023 7:17:21 AM com.sun.jersey.spi.container.ContainerResponse
mapMappableContainerException
SEVERE: The RuntimeException could not be mapped to a response, re-throwing to
the HTTP container
java.lang.NullPointerException
at
org.apache.ranger.biz.AssetMgr.doCreateOrUpdateXXPluginInfo(AssetMgr.java:831)
at
org.apache.ranger.biz.AssetMgr.createOrUpdatePluginInfo(AssetMgr.java:791)
at org.apache.ranger.biz.AssetMgr.createPluginInfo(AssetMgr.java:728)
at
org.apache.ranger.rest.RoleREST.getSecureRangerRolesIfUpdated(RoleREST.java:874)
at
org.apache.ranger.rest.RoleREST$$FastClassBySpringCGLIB$$d1176b81.invoke(<generated>)
...
{code}
Using debugger to trace the code.
It caused by
{code:java}
// AssertMgr.java doCreateOrUpdateXXPluginInfo()
// which get a null value of RoleDownloadedVersion, raise exception.
831: if (pluginInfo.getRoleDownloadTime() != null &&
pluginInfo.getRoleDownloadedVersion().equals(pluginInfo.getRoleActiveVersion())
// called by createOrUpdatePluginInfo() in AssertMgr.java
...
// called by createPluginInfo() in AssetMgr.java
// which will set RoleDownloadTime to non-null, regardless of the value of
RoleDownloadedVersion/downloadedVersion.
case RangerPluginInfo.ENTITY_TYPE_ROLES:
pluginSvcVersionInfo.setRoleActiveVersion(lastKnownVersion);
pluginSvcVersionInfo.setRoleActivationTime(lastActivationTime);
pluginSvcVersionInfo.setRoleDownloadedVersion(downloadedVersion);
pluginSvcVersionInfo.setRoleDownloadTime(new Date().getTime());
break;
case RangerPluginInfo.ENTITY_TYPE_USERSTORE:
pluginSvcVersionInfo.setUserStoreActiveVersion(lastKnownVersion);
pluginSvcVersionInfo.setUserStoreActivationTime(lastActivationTime);
pluginSvcVersionInfo.setUserStoreDownloadedVersion(downloadedVersion);
pluginSvcVersionInfo.setUserStoreDownloadTime(new Date().getTime());
break;
}
createOrUpdatePluginInfo(pluginSvcVersionInfo, entityType , httpCode,
clusterName);
// called by getSecureRangerRolesIfUpdated() in RoleRest.java
// which will not set downloadedVersion when isAllowed = false.
Long downloadedVersion = null;
...
if (isValid) {
try {
...
if (isAllowed) {
RangerRoles roles = roleStore.getRoles(serviceName,
lastKnownRoleVersion);
if (roles == null) {
downloadedVersion = lastKnownRoleVersion;
} else {
downloadedVersion = roles.getRoleVersion();
}
} else {
httpCode = HttpServletResponse.SC_FORBIDDEN; // assert user is
authenticated.
}
} catch (Throwable excp) {
}
}
assetMgr.createPluginInfo(serviceName, pluginId, request,
RangerPluginInfo.ENTITY_TYPE_ROLES, downloadedVersion, lastKnownRoleVersion,
lastActivationTime, httpCode, clusterName, pluginCapabilities);
{code}
The simplest method is to modify AssertMgr.java to that, this is the behavior
tag and policy
{code:java}
if (pluginInfo.getRoleDownloadedVersion() != null &&
pluginInfo.getRoleDownloadedVersion().equals(pluginInfo.getRoleActiveVersion()))
{
{code}
Btw: the case of UserStore seems have the same bug.
{code:java}
} else {
if (pluginInfo.getUserStoreDownloadTime() != null &&
pluginInfo.getUserStoreDownloadedVersion().equals(pluginInfo.getUserStoreActiveVersion()))
{
// This is our best guess of when users and groups may have been
downloaded
pluginInfo.setUserStoreDownloadTime(pluginInfo.getUserStoreActivationTime());
}
}
{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
