[jira] [Created] (RANGER-5403) Intermittent HDFS authorization failures caused by unsafe lazy initialization in CaseSensitiveRecursiveMatcher

[Xuze Yang (Jira)]

Xuze Yang created RANGER-5403:
---------------------------------

             Summary: Intermittent HDFS authorization failures caused by unsafe 
lazy initialization in CaseSensitiveRecursiveMatcher
                 Key: RANGER-5403
                 URL: https://issues.apache.org/jira/browse/RANGER-5403
             Project: Ranger
          Issue Type: Bug
          Components: plugins
    Affects Versions: 2.1.0
            Reporter: Xuze Yang


HDFS plugin may intermittently return incorrect authorization results when 
evaluating path-based policies.
This issue occurs under concurrent access due to unsafe lazy initialization 
inside RangerPathResourceMatcher$CaseSensitiveRecursiveMatcher.
 
Symptoms
•Sporadic access denied errors for valid HDFS paths
•The issue appears shortly after policy refresh
 
Root Cause
 
valueWithoutSeparator and valueWithSeparator are lazily initialized inside 
isMatch() without proper synchronization or safe publication.
 
For example:
1.Request R1 starts initializing only valueWithoutSeparator
2.Before R1 assigns valueWithSeparator, Request R2 skips initialization 
(because valueWithoutSeparator != null)
3.R2 reads valueWithSeparator == null
4.startsWith() check fails → false negative authorization
 
This has been reproduced in stress tests of HDFS authorization.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)