Hi Naoki Takezoe, > - retry a request for server errors (5xx) to cover temporary server issues In case of policy download failures, Ranger plugin does retry 3 times, with a pause of 1 sec between attempts. Please see below relevant logs from Trino. If such logs are not seen in your environment, can you share the logs to investigate this further?
> - fail policy evaluation with initialization error if the policy has never > been successfully retrieved Given there are no policies available, plugin should return "access denied". How different is this from returning initialization error? Madhan 2025-04-03T05:15:37.758Z WARN main org.apache.ranger.plugin.util.RangerRESTClient Failed to communicate with Ranger Admin. URL: http://host.docker.internal:6080. Error: java.net.ConnectException: Connection refused 2025-04-03T05:15:37.758Z WARN main org.apache.ranger.plugin.util.RangerRESTClient Waiting for 1000ms before retry attempt #1 2025-04-03T05:15:38.763Z WARN main org.apache.ranger.plugin.util.RangerRESTClient Failed to communicate with Ranger Admin. URL: http://host.docker.internal:6080. Error: java.net.ConnectException: Connection refused 2025-04-03T05:15:38.763Z WARN main org.apache.ranger.plugin.util.RangerRESTClient Waiting for 1000ms before retry attempt #2 2025-04-03T05:15:39.768Z WARN main org.apache.ranger.plugin.util.RangerRESTClient Failed to communicate with Ranger Admin. URL: http://host.docker.internal:6080. Error: java.net.ConnectException: Connection refused 2025-04-03T05:15:39.769Z WARN main org.apache.ranger.plugin.util.RangerRESTClient Waiting for 1000ms before retry attempt #3 2025-04-03T05:15:40.774Z WARN main org.apache.ranger.plugin.util.RangerRESTClient Failed to communicate with Ranger Admin. URL: http://host.docker.internal:6080. Error: java.net.ConnectException: Connection refused 2025-04-03T05:15:40.775Z ERROR main org.apache.ranger.plugin.util.RangerRESTClient Failed to communicate with all Ranger Admin's URL's : [ [http://host.docker.internal:6080] ] 2025-04-03T05:15:40.775Z ERROR main org.apache.ranger.plugin.util.PolicyRefresher PolicyRefresher(serviceName=dev_trino): failed to refresh policies. Will continue to use last known version of policies (-1) com.sun.jersey.api.client.ClientHandlerException: java.net.ConnectException: Connection refused at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:155) at com.sun.jersey.api.client.Client.handle(Client.java:652) at com.sun.jersey.api.client.WebResource.handle(WebResource.java:682) at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:509) at org.apache.ranger.plugin.util.RangerRESTClient.get(RangerRESTClient.java:544) at org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:153) ... ... 2025-04-03T05:16:13.875Z WARN PolicyRefresher(serviceName=dev_trino)-171 org.apache.ranger.plugin.util.RangerRESTClient Failed to communicate with Ranger Admin. URL: http://host.docker.internal:6080. Error: java.net.SocketException: Unexpected end of file from server 2025-04-03T05:16:13.875Z WARN PolicyRefresher(serviceName=dev_trino)-171 org.apache.ranger.plugin.util.RangerRESTClient Waiting for 1000ms before retry attempt #1 2025-04-03T05:16:19.262Z INFO PolicyRefresher(serviceName=dev_trino)-171 org.apache.ranger.plugin.util.PolicyRefresher PolicyRefresher(serviceName=dev_trino): found updated version. lastKnownVersion=-1; newVersion=18 On 4/3/25, 8:37 AM, "Naoki Takezoe" <take...@gmail.com <mailto:take...@gmail.com>> wrote: > We use Ranger on Trino. When our Ranger server behind a reverse proxy > was temporarily unavailable, the proxy was returning 503. Sorry, this was actually 502. Anyway, ranger-admin behind a reverse proxy was unavailable temporarily when the Ranger client sent the very initial policy retrieval request. On Thu, Apr 3, 2025 at 11:59 AM Naoki Takezoe <take...@gmail.com <mailto:take...@gmail.com>> wrote: > > Hi, > > I have a question about the behavior of Ranger client. > > We use Ranger on Trino. When our Ranger server behind a reverse proxy > was temporarily unavailable, the proxy was returning 503. > > Based on the log, Rager client didn't seem to retry the request and > PolicyEngine worked without any policy if the very initial policy > retrieval (so there is no cache) fails until the next retrieval > succeeds. > > I know RangerRESTClient has a retry mechanism > (https://issues.apache.org/jira/browse/RANGER-3565 > <https://issues.apache.org/jira/browse/RANGER-3565>) but it works only > when ClientHandlerException occurs while Jersey's default client > handler doesn't seem to raise an exception even for 5xx errors. > > Is this expected behavior? Or is there any workaround? > > I think it's better to > - retry a request for server errors (5xx) to cover temporary server issues > - fail policy evaluation with initialization error if the policy has > never been successfully retrieved > > -- > Naoki Takezoe -- Naoki Takezoe
