Ha Madhan, Thank you for taking a look!
I opened a JIRA ticket and created a pull request: - https://issues.apache.org/jira/browse/RANGER-5201 - https://github.com/apache/ranger/pull/565 On Wed, Apr 23, 2025 at 1:16 PM Madhan Neethiraj <mad...@apache.org> wrote: > > Hi Naoki Takezoe, > > The fix looks good. Can you please file a JIRA and create a pull-request? > > Madhan > > > > > On 4/11/25, 10:15 PM, "Naoki Takezoe" <take...@gmail.com > <mailto:take...@gmail.com>> wrote: > > > This would retry GET requests on 5xx error in RangerRESTClient: > https://github.com/takezoe/ranger/commit/cf47c59c2131bf38bbff784532f094b3a62eb7c6 > > <https://github.com/takezoe/ranger/commit/cf47c59c2131bf38bbff784532f094b3a62eb7c6> > > > Is it worth raising a JIRA and sending a pull request? > > > > > On Sat, Apr 5, 2025 at 1:45 PM Naoki Takezoe <take...@gmail.com > <mailto:take...@gmail.com>> wrote: > > > > Here is Trino log I tested with a server that returns 502 error: > > > > 2025-04-05T13:42:20.663+0900 INFO main > > org.apache.ranger.plugin.service.RangerBasePlugin Created > > PolicyRefresher Thread(PolicyRefresher(serviceName=trino)-196) > > 2025-04-05T13:42:20.817+0900 WARN main > > org.apache.ranger.admin.client.RangerAdminRESTClient Error getting > > Roles. secureMode=false, user=takezoe (auth:SIMPLE), > > response={"httpStatusCode":502,"statusCode":0}, serviceName=trino > > 2025-04-05T13:42:20.819+0900 WARN main > > org.apache.ranger.admin.client.RangerAdminRESTClient Error getting > > policies. secureMode=false, user=takezoe (auth:SIMPLE), > > response={"httpStatusCode":502,"statusCode":0}, serviceName=trino > > 2025-04-05T13:42:20.820+0900 WARN main > > org.apache.ranger.plugin.util.PolicyRefresher cache file does not > > exist or not readable 'null' > > 2025-04-05T13:42:20.821+0900 ERROR main > > org.apache.ranger.authorization.hadoop.config.RangerAdminConfig Could > > not add ranger-admin resources to RangerAdminConfig. > > 2025-04-05T13:42:20.853+0900 WARN main > > org.apache.ranger.plugin.util.RangerPolicyDeltaUtil ServicePolicies do > > not contain any policies or policy-deltas!! > > 2025-04-05T13:42:20.853+0900 INFO main > > org.apache.ranger.plugin.policyengine.PolicyEngine Policy engine will > > not perform in place update while processing policies. > > 2025-04-05T13:42:20.861+0900 INFO main > > org.apache.ranger.plugin.policyengine.RangerPolicyRepository This > > policy engine contains 0 policy evaluators > > 2025-04-05T13:42:20.865+0900 INFO main > > org.apache.ranger.plugin.service.RangerBasePlugin Switching policy > > engine from [-1] > > 2025-04-05T13:42:20.865+0900 INFO main > > org.apache.ranger.plugin.service.RangerBasePlugin Switched policy > > engine to [-1] > > > > On Fri, Apr 4, 2025 at 9:36 AM Naoki Takezoe <take...@gmail.com > > <mailto:take...@gmail.com>> wrote: > > > > > > Hi Madhan, > > > > > > On Thu, Apr 3, 2025 at 2:53 PM Madhan Neethiraj <mad...@apache.org > > > <mailto:mad...@apache.org>> wrote: > > > > > > > > Hi Naoki Takezoe, > > > > > > > > > - retry a request for server errors (5xx) to cover temporary server > > > > > issues > > > > In case of policy download failures, Ranger plugin does retry 3 times, > > > > with a pause of 1 sec between attempts. Please see below relevant logs > > > > from Trino. If such logs are not seen in your environment, can you > > > > share the logs to investigate this further? > > > > > > Note that our ranger-admin is behind a reverse proxy and the reverse > > > proxy itself was alive. > > > > > > Again, I know RangerRESTClient has a retry mechanism > > > (https://issues.apache.org/jira/browse/RANGER-3565 > > > <https://issues.apache.org/jira/browse/RANGER-3565>) but it works only > > > when ClientHandlerException occurs: > > > https://github.com/apache/ranger/blob/dbaad69de10ff7b21b5bd3fc08c4b65b4aa25dff/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java#L409-L415 > > > > > > <https://github.com/apache/ranger/blob/dbaad69de10ff7b21b5bd3fc08c4b65b4aa25dff/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java#L409-L415> > > > > > > while Jersey's default client handler that is used in RangerRESTClient > > > doesn't raise an exception even for 5xx errors: > > > https://github.com/javaee/jersey-1.x/blob/1.19.3/jersey-client/src/main/java/com/sun/jersey/client/urlconnection/URLConnectionClientHandler.java > > > > > > <https://github.com/javaee/jersey-1.x/blob/1.19.3/jersey-client/src/main/java/com/sun/jersey/client/urlconnection/URLConnectionClientHandler.java> > > > > > > > > - fail policy evaluation with initialization error if the policy has > > > > > never been successfully retrieved > > > > Given there are no policies available, plugin should return "access > > > > denied". How different is this from returning initialization error? > > > > > > Initialization error would be worth retrying on the Trino client side > > > even if it's not covered on the Ranger client side. > > > > > > -- > > > Naoki Takezoe > > > > > > > > -- > > Naoki Takezoe > > > > > > > -- > Naoki Takezoe > > > > -- Naoki Takezoe
