Hi Naoki Takezoe,

The fix looks good. Can you please file a JIRA and create a pull-request?

Madhan




On 4/11/25, 10:15 PM, "Naoki Takezoe" <take...@gmail.com 
<mailto:take...@gmail.com>> wrote:


This would retry GET requests on 5xx error in RangerRESTClient:
https://github.com/takezoe/ranger/commit/cf47c59c2131bf38bbff784532f094b3a62eb7c6
 
<https://github.com/takezoe/ranger/commit/cf47c59c2131bf38bbff784532f094b3a62eb7c6>


Is it worth raising a JIRA and sending a pull request?




On Sat, Apr 5, 2025 at 1:45 PM Naoki Takezoe <take...@gmail.com 
<mailto:take...@gmail.com>> wrote:
>
> Here is Trino log I tested with a server that returns 502 error:
>
> 2025-04-05T13:42:20.663+0900 INFO main
> org.apache.ranger.plugin.service.RangerBasePlugin Created
> PolicyRefresher Thread(PolicyRefresher(serviceName=trino)-196)
> 2025-04-05T13:42:20.817+0900 WARN main
> org.apache.ranger.admin.client.RangerAdminRESTClient Error getting
> Roles. secureMode=false, user=takezoe (auth:SIMPLE),
> response={"httpStatusCode":502,"statusCode":0}, serviceName=trino
> 2025-04-05T13:42:20.819+0900 WARN main
> org.apache.ranger.admin.client.RangerAdminRESTClient Error getting
> policies. secureMode=false, user=takezoe (auth:SIMPLE),
> response={"httpStatusCode":502,"statusCode":0}, serviceName=trino
> 2025-04-05T13:42:20.820+0900 WARN main
> org.apache.ranger.plugin.util.PolicyRefresher cache file does not
> exist or not readable 'null'
> 2025-04-05T13:42:20.821+0900 ERROR main
> org.apache.ranger.authorization.hadoop.config.RangerAdminConfig Could
> not add ranger-admin resources to RangerAdminConfig.
> 2025-04-05T13:42:20.853+0900 WARN main
> org.apache.ranger.plugin.util.RangerPolicyDeltaUtil ServicePolicies do
> not contain any policies or policy-deltas!!
> 2025-04-05T13:42:20.853+0900 INFO main
> org.apache.ranger.plugin.policyengine.PolicyEngine Policy engine will
> not perform in place update while processing policies.
> 2025-04-05T13:42:20.861+0900 INFO main
> org.apache.ranger.plugin.policyengine.RangerPolicyRepository This
> policy engine contains 0 policy evaluators
> 2025-04-05T13:42:20.865+0900 INFO main
> org.apache.ranger.plugin.service.RangerBasePlugin Switching policy
> engine from [-1]
> 2025-04-05T13:42:20.865+0900 INFO main
> org.apache.ranger.plugin.service.RangerBasePlugin Switched policy
> engine to [-1]
>
> On Fri, Apr 4, 2025 at 9:36 AM Naoki Takezoe <take...@gmail.com 
> <mailto:take...@gmail.com>> wrote:
> >
> > Hi Madhan,
> >
> > On Thu, Apr 3, 2025 at 2:53 PM Madhan Neethiraj <mad...@apache.org 
> > <mailto:mad...@apache.org>> wrote:
> > >
> > > Hi Naoki Takezoe,
> > >
> > > > - retry a request for server errors (5xx) to cover temporary server 
> > > > issues
> > > In case of policy download failures, Ranger plugin does retry 3 times, 
> > > with a pause of 1 sec between attempts. Please see below relevant logs 
> > > from Trino. If such logs are not seen in your environment, can you share 
> > > the logs to investigate this further?
> >
> > Note that our ranger-admin is behind a reverse proxy and the reverse
> > proxy itself was alive.
> >
> > Again, I know RangerRESTClient has a retry mechanism
> > (https://issues.apache.org/jira/browse/RANGER-3565 
> > <https://issues.apache.org/jira/browse/RANGER-3565>) but it works only
> > when ClientHandlerException occurs:
> > https://github.com/apache/ranger/blob/dbaad69de10ff7b21b5bd3fc08c4b65b4aa25dff/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java#L409-L415
> >  
> > <https://github.com/apache/ranger/blob/dbaad69de10ff7b21b5bd3fc08c4b65b4aa25dff/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java#L409-L415>
> >
> > while Jersey's default client handler that is used in RangerRESTClient
> > doesn't raise an exception even for 5xx errors:
> > https://github.com/javaee/jersey-1.x/blob/1.19.3/jersey-client/src/main/java/com/sun/jersey/client/urlconnection/URLConnectionClientHandler.java
> >  
> > <https://github.com/javaee/jersey-1.x/blob/1.19.3/jersey-client/src/main/java/com/sun/jersey/client/urlconnection/URLConnectionClientHandler.java>
> >
> > > > - fail policy evaluation with initialization error if the policy has 
> > > > never been successfully retrieved
> > > Given there are no policies available, plugin should return "access 
> > > denied". How different is this from returning initialization error?
> >
> > Initialization error would be worth retrying on the Trino client side
> > even if it's not covered on the Ranger client side.
> >
> > --
> > Naoki Takezoe
>
>
>
> --
> Naoki Takezoe






--
Naoki Takezoe




Reply via email to