wojciechgasior opened a new pull request, #987:
URL: https://github.com/apache/ranger/pull/987
## Problem
When the LDAP/AD source returns **0 groups and 0 users** (e.g. due to a
connectivity failure, firewall block, or misconfigured DC endpoint),
`addOrUpdateGroupUsers()` is never called because it is guarded by
`MapUtils.isNotEmpty(sourceGroupUsers)`. This means `deltaGroupUsers` is never
initialised and stays `null`.
On the **first sync cycle after startup** (`isStartupFlag = true`), the
`whiteListGroupMap` and `groupMap` iteration loops fall through to the
`else-if` branch:
```java
} else if (CollectionUtils.isNotEmpty(deltaGroupUsers.get(groupName))) {
```
Because `deltaGroupUsers` is `null`, this line throws:
```
java.lang.NullPointerException: Cannot invoke "java.util.Map.get(Object)"
because "this.deltaGroupUsers" is null
at
PolicyMgrUserGroupBuilder.addOrUpdateUsersGroups(PolicyMgrUserGroupBuilder.java:372)
```
The NPE propagates as a misleading `"Failed to addOrUpdate users to ranger
admin"` error and causes Ranger to **drop all existing group associations** for
users on restart rather than preserving the last-known-good state.
Note: `MapUtils.isNotEmpty(deltaGroupUsers)` at the cache-update step (line
~391) is already null-safe, so only the two `else-if` call sites are affected.
## Fix
Initialise `deltaGroupUsers` to an empty `HashMap` at the top of
`addOrUpdateUsersGroups()`, alongside the existing initialisations of
`computeRolesForUsers` and the `noOf*` counters. An empty map is the correct
"nothing synced yet" state — `deltaGroupUsers.get(groupName)` will return
`null`, `CollectionUtils.isNotEmpty(null)` returns `false`, and the branch is
safely skipped.
```java
computeRolesForUsers = new HashSet<>();
deltaGroupUsers = new HashMap<>(); // ← added
```
## Test
Added `testAK_addOrUpdateUsersGroups_startup_emptyLdap_doesNotThrowNPE` to
`TestPolicyMgrUserGroupBuilder`:
- Sets `isStartupFlag = true`
- Populates `whiteListGroupMap` with one group (`g1`) **not present** in
`groupUsersCache` (forces the `else-if` / `deltaGroupUsers` branch)
- Calls `addOrUpdateUsersGroups` with all-empty source maps (simulates LDAP
returning 0 results)
- Asserts **no `NullPointerException`** is thrown
## Impact
Observed in production with Apache Ranger UserSync 2.7.0 (Kubernetes
deployment, LDAP/AD source). The connectivity issue was resolved via a
workaround, but the NPE recurs on every restart until this code path is
hardened.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
