Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-662

Policy create/update failures leave partial policy in the database



    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Not A Problem
    • 0.5.0
    • 0.5.1, 0.6.0
    • admin
    • None


      Create a policy payload per the v1 public API such that it contains an invalid/non-existent usergroup. Do a POST to create a new policy with such a faulty payload. Server returns 400 back to the caller (per the access log). However, a policy gets created. Further policy has as all of the policy items in it before it encountered the one that had the faulty group in it. In fact, if the offending policy item had, say, 3 groups in it and the last one is bad then even that policy item is created with 2 correct user groups!

      The same is true if a PUT is done to an existing policy, i.e. existing policy items are deleted and all policy items before the one with bad user group get added and 400 is returned to the caller.

      Expectation is that either all of non of the policy changes should get persisted. Unless we return 2xx policy should not get created/updated.

      Here is an example payload.

        "repositoryName": "hivedev",
        "repositoryType": "hive",
        "databases": "*",
        "tables": "*",
        "columns": "*",
        "permMapList": [
            "groupList": [ "hrt_1", "hadoop", "foobar" ],
            "permList": [ "Select" ],
            "userList": []
       "policyName": "Test_policy_aruna"

      I have not tried this with directly going against the new API. But it would be worth confirming that, too.




            alok Alok Lal
            alok Alok Lal
            0 Vote for this issue
            1 Start watching this issue