Here is Trino log I tested with a server that returns 502 error:
2025-04-05T13:42:20.663+0900 INFO main
org.apache.ranger.plugin.service.RangerBasePlugin Created
PolicyRefresher Thread(PolicyRefresher(serviceName=trino)-196)
2025-04-05T13:42:20.817+0900 WARN main
org.apache.ranger.admin.client.RangerAdminRESTClient Error getting
Roles. secureMode=false, user=takezoe (auth:SIMPLE),
response={"httpStatusCode":502,"statusCode":0}, serviceName=trino
2025-04-05T13:42:20.819+0900 WARN main
org.apache.ranger.admin.client.RangerAdminRESTClient Error getting
policies. secureMode=false, user=takezoe (auth:SIMPLE),
response={"httpStatusCode":502,"statusCode":0}, serviceName=trino
2025-04-05T13:42:20.820+0900 WARN main
org.apache.ranger.plugin.util.PolicyRefresher cache file does not
exist or not readable 'null'
2025-04-05T13:42:20.821+0900 ERROR main
org.apache.ranger.authorization.hadoop.config.RangerAdminConfig Could
not add ranger-admin resources to RangerAdminConfig.
2025-04-05T13:42:20.853+0900 WARN main
org.apache.ranger.plugin.util.RangerPolicyDeltaUtil ServicePolicies do
not contain any policies or policy-deltas!!
2025-04-05T13:42:20.853+0900 INFO main
org.apache.ranger.plugin.policyengine.PolicyEngine Policy engine will
not perform in place update while processing policies.
2025-04-05T13:42:20.861+0900 INFO main
org.apache.ranger.plugin.policyengine.RangerPolicyRepository This
policy engine contains 0 policy evaluators
2025-04-05T13:42:20.865+0900 INFO main
org.apache.ranger.plugin.service.RangerBasePlugin Switching policy
engine from [-1]
2025-04-05T13:42:20.865+0900 INFO main
org.apache.ranger.plugin.service.RangerBasePlugin Switched policy
engine to [-1]
On Fri, Apr 4, 2025 at 9:36 AM Naoki Takezoe <take...@gmail.com> wrote:
>
> Hi Madhan,
>
> On Thu, Apr 3, 2025 at 2:53 PM Madhan Neethiraj <mad...@apache.org> wrote:
> >
> > Hi Naoki Takezoe,
> >
> > > - retry a request for server errors (5xx) to cover temporary server issues
> > In case of policy download failures, Ranger plugin does retry 3 times, with
> > a pause of 1 sec between attempts. Please see below relevant logs from
> > Trino. If such logs are not seen in your environment, can you share the
> > logs to investigate this further?
>
> Note that our ranger-admin is behind a reverse proxy and the reverse
> proxy itself was alive.
>
> Again, I know RangerRESTClient has a retry mechanism
> (https://issues.apache.org/jira/browse/RANGER-3565) but it works only
> when ClientHandlerException occurs:
> https://github.com/apache/ranger/blob/dbaad69de10ff7b21b5bd3fc08c4b65b4aa25dff/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java#L409-L415
>
> while Jersey's default client handler that is used in RangerRESTClient
> doesn't raise an exception even for 5xx errors:
> https://github.com/javaee/jersey-1.x/blob/1.19.3/jersey-client/src/main/java/com/sun/jersey/client/urlconnection/URLConnectionClientHandler.java
>
> > > - fail policy evaluation with initialization error if the policy has
> > > never been successfully retrieved
> > Given there are no policies available, plugin should return "access
> > denied". How different is this from returning initialization error?
>
> Initialization error would be worth retrying on the Trino client side
> even if it's not covered on the Ranger client side.
>
> --
> Naoki Takezoe
--
Naoki Takezoe
