Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-2416

a single user created twice when creating default policy and usersync process syncs user at the same time,and got 404 http code when retrive service policies

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 0.6.0
    • None
    • admin
    • None
    • in hdp ambari 2.6

    Description

      a single user created twice when creating default policy and usersync process syncs user at the same time,and got 404 http code when retrive service policies.
       the two  concurrent processes creating the same  user at the same time:

      1)where create a service repository like kafka, ranger admin will create a default policy for the user kafka.if the user kafka doesn't exists,ranger admin would create the user first.
       2)ranger usersnc process syncs user kafka from ldap.
      if the above two process happens nearly the same time,the user will be create twice in the ranger admin side.as a result,ranger admin db's x_user table got two record for the user kafka,as shown below:
      mysql> select id,added_by_id,user_name,descr from x_user where user_name='kafka' or id=2 or id=27;
      --------------+++----------------------------------------------

      id added_by_id user_name    descr

      --------------+++----------------------------------------------

      2    NULL        rangerusersync rangerusersync                         
      27 2              ambari-qa          ambari-qa - add from Unix box
      28 27            kafka                  kafka                                         
      29 2               kafka                    kafka - add from Unix box       

      in this situation,if we search policies for service kafka,we got 404 http code,.this caused by XXUserDao's error for getting singleResult.

      getEntityManager()
      .createNamedQuery("XXUser.findByUserName", XXUser.class)
      .setParameter("name", name.trim())
      .getSingleResult();

      the command for search policies:
      curl -i -H 'Authorization:Basic YW1iX3Jhbmdlcl9hZG1pbjphbWJhcmkxMjM='  -H 'Accept:application/json'  -H 'Content-Type:application/json' [http://tbds-10-0-0-16:6080/service/public/api/policy?repositoryName=tdw_kafka\&repositoryType=kafka\&isEnabled=true

      t|http://tbds-10-0-0-16:6080/service/public/api/policy?repositoryName=tdw_kafka&repositoryType=kafka&isEnabled=true]his bug reproduced several times in the last two years.And our data platform uses ranger to manage 9 services for security.the above problem just happens when we create a service repository.

      our solution:
      add uniq index for  x_user tables user_name column. and swallow the exception of create user failue(for user was created by usersync process) when create default policy.

      Attachments

        Activity

          People

            Unassigned Unassigned
            leslizhang zhangxiong
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: