[RND-1605] NES ranger 인가 정책 연동에 사용하는 파일 처리 방식 디버그 (#46)

* rgw_ranger_integration: fix 'does not chown for relative directory' issue * rgw_ranger_integration: add mutex treatment for writing relative files
nexr · Oct 17, 2023 · 717b360 · 717b360
1 parent 0f0c2d5
commit 717b360
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 15 deletions.
diff --git a/src/rgw/rgw_ranger.cc b/src/rgw/rgw_ranger.cc
@@ -110,7 +110,7 @@ void prepare_cache_dir(CephContext* const cct) {
 
   struct stat f_stat;
   if (stat(ranger_cache_dir.c_str(), &f_stat) != 0) {
-    if (mkdir(ranger_cache_dir.c_str(), 0755) == -1) {
+    if (mkdir(ranger_cache_dir.c_str(), 0755) != -1) {
       chown(ranger_cache_dir.c_str(), cct->get_set_uid(), cct->get_set_gid());
     }
     else {

diff --git a/src/rgw/rgw_ranger.h b/src/rgw/rgw_ranger.h
@@ -118,6 +118,8 @@ class RGWRangerManager {
 
   string policy_cache_dir;
   time_t cache_update_interval;
+  // cache_update
+  std::mutex cu_mutex;
 
   string change_owner_to_svc_name(string owner_name) {
     string svc_name = owner_name;
@@ -224,6 +226,8 @@ class RGWRangerJniThread : public Thread {
   std::mutex r_mutex;
   std::condition_variable r_cond;
 
+  // audit_config
+  std::mutex ac_mutex;
 
 public:
   bool down_flag = false;

diff --git a/src/rgw/rgw_ranger_jni.cc b/src/rgw/rgw_ranger_jni.cc
@@ -20,7 +20,7 @@ RGWRangerJniManager::RGWRangerJniManager(CephContext* const _cct, rgw::sal::RGWR
 
   struct stat f_stat;
   if (stat(jni_config_dir.c_str(), &f_stat) != 0) {
-    if (mkdir(jni_config_dir.c_str(), 0755) == -1) {
+    if (mkdir(jni_config_dir.c_str(), 0755) != -1) {
       chown(jni_config_dir.c_str(), cct->get_set_uid(), cct->get_set_gid());
     }
     else {
@@ -326,6 +326,8 @@ bool RGWRangerJniThread::config_audit()
 
   string target_audit_conf = (audit_service_specific) ? service_audit_conf : default_audit_conf;
 
+  unique_lock<std::mutex> ac_lock(ac_mutex);
+
   if (parent->is_file_age_younger(target_audit_conf, parent->audit_conf_age))
   {
     return true;
@@ -467,6 +469,8 @@ void RGWRangerJniThread::organize_cached_policy() {
 
   std::remove(cached_role.c_str());
 
+  unique_lock<std::mutex> cu_lock(parent->cu_mutex);
+
   if (parent->is_file_age_younger(dest_file, parent->cache_update_interval))
   {
     std::remove(cached_policy.c_str());

diff --git a/src/rgw/rgw_ranger_native.cc b/src/rgw/rgw_ranger_native.cc
@@ -635,10 +635,7 @@ int RGWRangerNativeManager::get_related_policies_from_remote(vector<ranger_polic
   int offset = 0;
 
   string cached_policy_file = policy_cache_dir + "/" + service + ".json";
-  string policies_to_caching = "";
-
-  bool need_caching = ( !is_file_exist(cached_policy_file) \
-                     || is_file_age_older(cached_policy_file, cache_update_interval) );
+  string policies_to_cache = "";
 
   while (need_continue) {
     int ret;
@@ -707,14 +704,12 @@ int RGWRangerNativeManager::get_related_policies_from_remote(vector<ranger_polic
       return -EINVAL;
     }
 
-    if (need_caching) {
-      string policies_str;
-      policies_str = policies_obj->get_data();
-      policies_str = policies_str.substr(1, (policies_str.length() - 1) - 1); // truncate '[' and ']'
+    string policies_part_to_cache;
+    policies_part_to_cache = policies_obj->get_data();
+    policies_part_to_cache = policies_part_to_cache.substr(1, (policies_part_to_cache.length() - 1) - 1); // truncate '[' and ']'
 
-      policies_to_caching = (policies_to_caching.empty()) ? policies_str \
-                                                          : policies_to_caching + "," + policies_str;
-    }
+    policies_to_cache = (policies_to_cache.empty()) ? policies_part_to_cache
+                                                    : policies_to_cache + "," + policies_part_to_cache;
 
     vector<string> policies_str = policies_obj->get_array_elements();
 
@@ -735,17 +730,22 @@ int RGWRangerNativeManager::get_related_policies_from_remote(vector<ranger_polic
     }
   }
 
+  unique_lock<std::mutex> cu_lock(cu_mutex);
+
+  bool need_caching = ( !is_file_exist(cached_policy_file) \
+                     || is_file_age_older(cached_policy_file, cache_update_interval) );
+
   if (need_caching) {
     ldout(cct, 10) << __func__ << "(): Try to write cached policy (" << cached_policy_file << ")" << dendl;
 
-    policies_to_caching = "{\"policies\":[" + policies_to_caching + "]}";
+    policies_to_cache = "{\"policies\":[" + policies_to_cache + "]}";
 
     // write File
     ofstream write_stream;
     write_stream.open(cached_policy_file);
 
     if (write_stream.is_open()) {
-      write_stream << policies_to_caching;
+      write_stream << policies_to_cache;
       write_stream.close();
 
       if (use_cached_one) {