Hi Naoki Takezoe, The fix looks good. Can you please file a JIRA and create a pull-request?
Madhan On 4/11/25, 10:15 PM, "Naoki Takezoe" <take...@gmail.com <mailto:take...@gmail.com>> wrote: This would retry GET requests on 5xx error in RangerRESTClient: https://github.com/takezoe/ranger/commit/cf47c59c2131bf38bbff784532f094b3a62eb7c6 <https://github.com/takezoe/ranger/commit/cf47c59c2131bf38bbff784532f094b3a62eb7c6> Is it worth raising a JIRA and sending a pull request? On Sat, Apr 5, 2025 at 1:45 PM Naoki Takezoe <take...@gmail.com <mailto:take...@gmail.com>> wrote: > > Here is Trino log I tested with a server that returns 502 error: > > 2025-04-05T13:42:20.663+0900 INFO main > org.apache.ranger.plugin.service.RangerBasePlugin Created > PolicyRefresher Thread(PolicyRefresher(serviceName=trino)-196) > 2025-04-05T13:42:20.817+0900 WARN main > org.apache.ranger.admin.client.RangerAdminRESTClient Error getting > Roles. secureMode=false, user=takezoe (auth:SIMPLE), > response={"httpStatusCode":502,"statusCode":0}, serviceName=trino > 2025-04-05T13:42:20.819+0900 WARN main > org.apache.ranger.admin.client.RangerAdminRESTClient Error getting > policies. secureMode=false, user=takezoe (auth:SIMPLE), > response={"httpStatusCode":502,"statusCode":0}, serviceName=trino > 2025-04-05T13:42:20.820+0900 WARN main > org.apache.ranger.plugin.util.PolicyRefresher cache file does not > exist or not readable 'null' > 2025-04-05T13:42:20.821+0900 ERROR main > org.apache.ranger.authorization.hadoop.config.RangerAdminConfig Could > not add ranger-admin resources to RangerAdminConfig. > 2025-04-05T13:42:20.853+0900 WARN main > org.apache.ranger.plugin.util.RangerPolicyDeltaUtil ServicePolicies do > not contain any policies or policy-deltas!! > 2025-04-05T13:42:20.853+0900 INFO main > org.apache.ranger.plugin.policyengine.PolicyEngine Policy engine will > not perform in place update while processing policies. > 2025-04-05T13:42:20.861+0900 INFO main > org.apache.ranger.plugin.policyengine.RangerPolicyRepository This > policy engine contains 0 policy evaluators > 2025-04-05T13:42:20.865+0900 INFO main > org.apache.ranger.plugin.service.RangerBasePlugin Switching policy > engine from [-1] > 2025-04-05T13:42:20.865+0900 INFO main > org.apache.ranger.plugin.service.RangerBasePlugin Switched policy > engine to [-1] > > On Fri, Apr 4, 2025 at 9:36 AM Naoki Takezoe <take...@gmail.com > <mailto:take...@gmail.com>> wrote: > > > > Hi Madhan, > > > > On Thu, Apr 3, 2025 at 2:53 PM Madhan Neethiraj <mad...@apache.org > > <mailto:mad...@apache.org>> wrote: > > > > > > Hi Naoki Takezoe, > > > > > > > - retry a request for server errors (5xx) to cover temporary server > > > > issues > > > In case of policy download failures, Ranger plugin does retry 3 times, > > > with a pause of 1 sec between attempts. Please see below relevant logs > > > from Trino. If such logs are not seen in your environment, can you share > > > the logs to investigate this further? > > > > Note that our ranger-admin is behind a reverse proxy and the reverse > > proxy itself was alive. > > > > Again, I know RangerRESTClient has a retry mechanism > > (https://issues.apache.org/jira/browse/RANGER-3565 > > <https://issues.apache.org/jira/browse/RANGER-3565>) but it works only > > when ClientHandlerException occurs: > > https://github.com/apache/ranger/blob/dbaad69de10ff7b21b5bd3fc08c4b65b4aa25dff/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java#L409-L415 > > > > <https://github.com/apache/ranger/blob/dbaad69de10ff7b21b5bd3fc08c4b65b4aa25dff/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java#L409-L415> > > > > while Jersey's default client handler that is used in RangerRESTClient > > doesn't raise an exception even for 5xx errors: > > https://github.com/javaee/jersey-1.x/blob/1.19.3/jersey-client/src/main/java/com/sun/jersey/client/urlconnection/URLConnectionClientHandler.java > > > > <https://github.com/javaee/jersey-1.x/blob/1.19.3/jersey-client/src/main/java/com/sun/jersey/client/urlconnection/URLConnectionClientHandler.java> > > > > > > - fail policy evaluation with initialization error if the policy has > > > > never been successfully retrieved > > > Given there are no policies available, plugin should return "access > > > denied". How different is this from returning initialization error? > > > > Initialization error would be worth retrying on the Trino client side > > even if it's not covered on the Ranger client side. > > > > -- > > Naoki Takezoe > > > > -- > Naoki Takezoe -- Naoki Takezoe
