Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
0.6.0
-
None
-
None
-
in hdp ambari 2.6
Description
a single user created twice when creating default policy and usersync process syncs user at the same time,and got 404 http code when retrive service policies.
the two concurrent processes creating the same user at the same time:
1)where create a service repository like kafka, ranger admin will create a default policy for the user kafka.if the user kafka doesn't exists,ranger admin would create the user first.
2)ranger usersnc process syncs user kafka from ldap.
if the above two process happens nearly the same time,the user will be create twice in the ranger admin side.as a result,ranger admin db's x_user table got two record for the user kafka,as shown below:
mysql> select id,added_by_id,user_name,descr from x_user where user_name='kafka' or id=2 or id=27;
--------------+++----------------------------------------------
id | added_by_id | user_name | descr |
--------------+++----------------------------------------------
2 | NULL | rangerusersync | rangerusersync |
27 | 2 | ambari-qa | ambari-qa - add from Unix box |
28 | 27 | kafka | kafka |
29 | 2 | kafka | kafka - add from Unix box |
in this situation,if we search policies for service kafka,we got 404 http code,.this caused by XXUserDao's error for getting singleResult.
getEntityManager()
.createNamedQuery("XXUser.findByUserName", XXUser.class)
.setParameter("name", name.trim())
.getSingleResult();
the command for search policies:
curl -i -H 'Authorization:Basic YW1iX3Jhbmdlcl9hZG1pbjphbWJhcmkxMjM=' -H 'Accept:application/json' -H 'Content-Type:application/json' [http://tbds-10-0-0-16:6080/service/public/api/policy?repositoryName=tdw_kafka\&repositoryType=kafka\&isEnabled=true
t|http://tbds-10-0-0-16:6080/service/public/api/policy?repositoryName=tdw_kafka&repositoryType=kafka&isEnabled=true]his bug reproduced several times in the last two years.And our data platform uses ranger to manage 9 services for security.the above problem just happens when we create a service repository.
our solution:
add uniq index for x_user tables user_name column. and swallow the exception of create user failue(for user was created by usersync process) when create default policy.