Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ranger: java.lang.IllegalArgumentException: bound must be positive #24464

Closed
epheatt opened this issue Dec 13, 2024 · 8 comments
Closed

Ranger: java.lang.IllegalArgumentException: bound must be positive #24464

epheatt opened this issue Dec 13, 2024 · 8 comments

Comments

@epheatt
Copy link

epheatt commented Dec 13, 2024
edited
Loading

Using trinodb/trino:467 image in Kubernetes the Guice-7.0.0 ASM related to google/guice#1822 fails to start the coordinator with stacktrace related to LineNumbers

2024-12-12T21:57:20.471Z        INFO    main    io.trino.security.AccessControlManager  -- Loading system access control etc/access-control.properties --
2024-12-12T21:57:20.868Z        INFO    main    org.hibernate.validator.internal.util.Version   HV000001: Hibernate Validator 8.0.1.Final
2024-12-12T21:57:21.592Z        INFO    main    Bootstrap       PROPERTY                       DEFAULT  RUNTIME                                                                    DESCRIPTION
2024-12-12T21:57:21.592Z        INFO    main    Bootstrap       ranger.hadoop.config.resource  []       [/etc/trino/ranger-trino-security.xml, /etc/trino/ranger-trino-audit.xml]  List of paths to hadoop configuration files
2024-12-12T21:57:21.592Z        INFO    main    Bootstrap       ranger.plugin.config.resource  []       []                                                                         List of paths to Ranger plugin configuration files
2024-12-12T21:57:21.592Z        INFO    main    Bootstrap       ranger.service.name            ----     trino                                                                      Name of Ranger service containing policies to enforce
2024-12-12T21:57:21.864Z        INFO    main    io.trino.plugin.ranger.RangerSystemAccessControl        Loading Hadoop config /etc/trino/ranger-trino-security.xml from url file:/etc/trino/ranger-trino-security.xml
2024-12-12T21:57:21.963Z        INFO    main    io.trino.plugin.ranger.RangerSystemAccessControl        Loading Hadoop config /etc/trino/ranger-trino-audit.xml from url file:/etc/trino/ranger-trino-audit.xml
2024-12-12T21:57:22.266Z        ERROR   main    org.apache.ranger.authorization.hadoop.config.RangerConfiguration       addResourceIfReadable(ranger-trino-audit.xml): couldn't find resource file location
2024-12-12T21:57:22.267Z        ERROR   main    org.apache.ranger.authorization.hadoop.config.RangerConfiguration       addResourceIfReadable(ranger-trino-security.xml): couldn't find resource file location
2024-12-12T21:57:22.267Z        ERROR   main    org.apache.ranger.authorization.hadoop.config.RangerConfiguration       addResourceIfReadable(ranger-trino-policymgr-ssl.xml): couldn't find resource file location
2024-12-12T21:57:22.268Z        ERROR   main    org.apache.ranger.authorization.hadoop.config.RangerConfiguration       addResourceIfReadable(ranger-trino-trino-audit.xml): couldn't find resource file location
2024-12-12T21:57:22.268Z        ERROR   main    org.apache.ranger.authorization.hadoop.config.RangerConfiguration       addResourceIfReadable(ranger-trino-trino-security.xml): couldn't find resource file location
2024-12-12T21:57:22.268Z        ERROR   main    org.apache.ranger.authorization.hadoop.config.RangerConfiguration       addResourceIfReadable(ranger-trino-trino-policymgr-ssl.xml): couldn't find resource file location
2024-12-12T21:57:22.269Z        INFO    main    org.apache.ranger.authorization.hadoop.config.RangerPluginConfig        PolicyEngineOptions: { evaluatorType: auto, evaluateDelegateAdminOnly: false, disableContextEnrichers: false, disableCustomConditions: false, disableTagPolicyEvaluation: false, disablePolicyRefresher: false, disableTagRetriever: false, disableUserStoreRetriever: false, enableTagEnricherWithLocalRefresher: false, enableUserStoreEnricherWithLocalRefresher: false, disableTrieLookupPrefilter: false, optimizeTrieForRetrieval: false, cacheAuditResult: false, disableRoleResolution: true, optimizeTrieForSpace: false, optimizeTagTrieForRetrieval: false, optimizeTagTrieForSpace: false }
2024-12-12T21:57:22.271Z        INFO    main    org.apache.ranger.plugin.service.RangerBasePlugin       ranger.plugin.trino.null_safe.supplier=v2
2024-12-12T21:57:22.280Z        INFO    main    org.apache.ranger.audit.provider.AuditProviderFactory   AuditProviderFactory: creating..
2024-12-12T21:57:22.280Z        INFO    main    org.apache.ranger.audit.provider.AuditProviderFactory   AuditProviderFactory: initializing..
2024-12-12T21:57:22.363Z        INFO    main    org.apache.ranger.audit.provider.AuditProviderFactory   No v3 audit configuration found. Trying v2 audit configurations
2024-12-12T21:57:22.364Z        INFO    Ranger async Audit cleanup      org.apache.ranger.audit.provider.AuditProviderFactory   RangerAsyncAuditCleanup: Waiting to audit cleanup start signal
2024-12-12T21:57:22.587Z        WARN    main    com.google.inject.internal.util.LineNumbers     Failed loading line numbers. ASM is probably out of date. Further failures won't be logged.
java.lang.IllegalArgumentException: Unsupported class file major version 67
        at com.google.inject.internal.asm.$ClassReader.<init>(ClassReader.java:199)
        at com.google.inject.internal.asm.$ClassReader.<init>(ClassReader.java:180)
        at com.google.inject.internal.asm.$ClassReader.<init>(ClassReader.java:166)
        at com.google.inject.internal.asm.$ClassReader.<init>(ClassReader.java:287)
        at com.google.inject.internal.util.LineNumbers.<init>(LineNumbers.java:74)
        at com.google.inject.internal.util.StackTraceElements$1.load(StackTraceElements.java:48)
        at com.google.inject.internal.util.StackTraceElements$1.load(StackTraceElements.java:44)
        at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3574)
        at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2316)
        at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2189)
        at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2079)
        at com.google.common.cache.LocalCache.get(LocalCache.java:4017)
        at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:4040)
        at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4989)
        at com.google.common.cache.LocalCache$LocalLoadingCache.getUnchecked(LocalCache.java:4996)
        at com.google.inject.internal.util.StackTraceElements.forMember(StackTraceElements.java:67)
        at com.google.inject.internal.SourceFormatter.formatMember(SourceFormatter.java:91)
        at com.google.inject.internal.SourceFormatter.formatInjectionPoint(SourceFormatter.java:97)
        at com.google.inject.internal.SourceFormatter.format(SourceFormatter.java:49)
        at com.google.inject.internal.GenericErrorDetail.formatDetail(GenericErrorDetail.java:26)
        at com.google.inject.spi.ErrorDetail.format(ErrorDetail.java:64)
        at com.google.inject.internal.Messages.formatMessages(Messages.java:90)
        at com.google.inject.CreationException.getMessage(CreationException.java:50)
        at io.airlift.log.Logger.error(Logger.java:272)
        at io.trino.server.Server.doStart(Server.java:209)
        at io.trino.server.Server.lambda$start$0(Server.java:94)
        at io.trino.$gen.Trino_467____20241212_215623_1.run(Unknown Source)
        at io.trino.server.Server.start(Server.java:94)
        at io.trino.server.TrinoServer.main(TrinoServer.java:37)


2024-12-12T21:57:22.593Z        ERROR   main    io.trino.server.Server  Unable to create injector, see the following errors:

1) [Guice/ErrorInjectingConstructor]: IllegalArgumentException: bound must be positive
  at RangerSystemAccessControl.<init>(Unknown Source)
  at RangerSystemAccessControlFactory.lambda$create$0(RangerSystemAccessControlFactory.java:46)
  while locating RangerSystemAccessControl

Learn more:
  https://github.com/google/guice/wiki/ERROR_INJECTING_CONSTRUCTOR

1 error

======================
Full classname legend:
======================
RangerSystemAccessControl:        "io.trino.plugin.ranger.RangerSystemAccessControl"
RangerSystemAccessControlFactory: "io.trino.plugin.ranger.RangerSystemAccessControlFactory"
========================
End of classname legend:
========================

com.google.inject.CreationException: Unable to create injector, see the following errors:

1) [Guice/ErrorInjectingConstructor]: IllegalArgumentException: bound must be positive
  at RangerSystemAccessControl.<init>(Unknown Source)
  at RangerSystemAccessControlFactory.lambda$create$0(RangerSystemAccessControlFactory.java:46)
  while locating RangerSystemAccessControl

Learn more:
  https://github.com/google/guice/wiki/ERROR_INJECTING_CONSTRUCTOR

1 error

======================
Full classname legend:
======================
RangerSystemAccessControl:        "io.trino.plugin.ranger.RangerSystemAccessControl"
RangerSystemAccessControlFactory: "io.trino.plugin.ranger.RangerSystemAccessControlFactory"
========================
End of classname legend:
========================

        at com.google.inject.internal.Errors.throwCreationExceptionIfErrorsExist(Errors.java:589)
        at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:190)
        at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:113)
        at com.google.inject.Guice.createInjector(Guice.java:87)
        at io.airlift.bootstrap.Bootstrap.initialize(Bootstrap.java:288)
        at io.trino.plugin.ranger.RangerSystemAccessControlFactory.create(RangerSystemAccessControlFactory.java:52)
        at io.trino.security.AccessControlManager.createSystemAccessControl(AccessControlManager.java:221)
        at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:215)
        at java.base/java.util.Collections$2.tryAdvance(Collections.java:5075)
        at java.base/java.util.Collections$2.forEachRemaining(Collections.java:5083)
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:570)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:560)
        at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:265)
        at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:727)
        at io.trino.security.AccessControlManager.loadSystemAccessControl(AccessControlManager.java:176)
        at io.trino.server.Server.doStart(Server.java:174)
        at io.trino.server.Server.lambda$start$0(Server.java:94)
        at io.trino.$gen.Trino_467____20241212_215623_1.run(Unknown Source)
        at io.trino.server.Server.start(Server.java:94)
        at io.trino.server.TrinoServer.main(TrinoServer.java:37)
Caused by: java.lang.IllegalArgumentException: bound must be positive
        at java.base/java.util.Random.nextInt(Random.java:551)
        at org.apache.ranger.plugin.util.RangerRESTClient.<init>(RangerRESTClient.java:120)
        at org.apache.ranger.admin.client.RangerAdminRESTClient.init(RangerAdminRESTClient.java:647)
        at org.apache.ranger.admin.client.RangerAdminRESTClient.init(RangerAdminRESTClient.java:106)
        at org.apache.ranger.plugin.policyengine.RangerPluginContext.createAdminClient(RangerPluginContext.java:108)
        at org.apache.ranger.plugin.util.PolicyRefresher.<init>(PolicyRefresher.java:90)
        at org.apache.ranger.plugin.service.RangerBasePlugin.init(RangerBasePlugin.java:251)
        at io.trino.plugin.ranger.RangerSystemAccessControl.<init>(RangerSystemAccessControl.java:159)
        at io.trino.plugin.ranger.RangerSystemAccessControl$$FastClassByGuice$$18c289.GUICE$TRAMPOLINE(<generated>)
        at io.trino.plugin.ranger.RangerSystemAccessControl$$FastClassByGuice$$18c289.apply(<generated>)
        at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:82)
        at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
        at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:33)
        at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:98)
        at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:109)
        at io.airlift.bootstrap.LifeCycleModule.provision(LifeCycleModule.java:53)
        at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:117)
        at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:66)
        at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:93)
        at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:300)
        at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
        at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:169)
        at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:45)
        at com.google.inject.internal.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:213)
        at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:186)
        ... 19 more
@ebyhr
Copy link
Member

ebyhr commented Dec 13, 2024
edited
Loading

Could you use ``` to improve the readability of the message? https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks

@wendigo
Copy link
Contributor

wendigo commented Dec 13, 2024

This is red herring. The actual error isn't related to guice or jdk 23 but is "incorrect bounds"

@wendigo
Copy link
Contributor

wendigo commented Dec 13, 2024
edited
Loading

This is caused by

this.setLastKnownActiveUrlIndex((new Random()).nextInt(this.getConfiguredURLs().size()));

being called with an empty list. it seems like a misconfiguration issue.

@wendigo wendigo closed this as completed Dec 13, 2024
@wendigo wendigo changed the title Trino 467 Ranger Plugin Incompatible with Guice-7.0.0 ASM with JDK 23 Runtime Ranger: java.lang.IllegalArgumentException: bound must be positive Dec 13, 2024
@epheatt
Copy link
Author

epheatt commented Dec 13, 2024
edited
Loading

Config included the hadoop configmap delivered files at the specified paths based on a self authored chart and container based on 433 with Ranger 2.4.0 in production

    additionalCoordinatorProperties:
      access-control.properties: |
        access-control.name=ranger
        ranger.service.name=trino
        #ranger.plugin.config.resource=/etc/trino/
        ranger.hadoop.config.resource=/etc/trino/ranger-trino-security.xml,/etc/trino/ranger-trino-audit.xml
      ranger-trino-security.xml: |
        <?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
        <configuration xmlns:xi="http://www.w3.org/2001/XInclude">
          <property>
            <name>ranger.plugin.trino.policy.rest.url</name>
            <value>http://apache-ranger.ranger.svc.cluster.local:6080</value>
            <description>MANDATORY: a comma separated list of URLs to Apache Ranger instances in a deployment</description>
          </property>

          <property>
              <name>ranger.plugin.trino.service.name</name>
              <value>trino</value>
              <description>
              Name of the Ranger service containing policies for this Trino instance
              </description>  
          </property>
            
          <property>
              <name>ranger.plugin.trino.policy.source.impl</name>            
              <value>io.trino.plugin.ranger.RangerAdminClientImpl</value>
              <description>
                    Class to retrieve policies from the source
              </description>  
          </property>
            
          <property>            
              <name>ranger.plugin.trino.policy.pollIntervalMs</name>
              <value>300000</value>
              <description>
                    How often to poll for changes in policies?
              </description>  
          </property>
        
          <property>
              <name>ranger.plugin.trino.policy.cache.dir</name>
              <value>/etc/trino/policycache</value>
          </property>

          <property>
            <name>ranger.plugin.trino.access.cluster.name</name>
            <value>trino</value>
            <description>Name to identify the cluster running the Trino instance. This is recorded in audit logs generated by the plugin</description>
          </property>

          <property>
            <name>ranger.plugin.trino.use.rangerGroups</name>
            <value>false</value>
            <description>Boolean flag to specify whether user-to-groups mapping should be obtained from in Apache Ranger. Default: false</description>
          </property>

          <property>
            <name>ranger.plugin.trino.use.only.rangerGroups</name>
            <value>false</value>
            <description>Boolean flag. true: use only user-to-groups mapping from Apache Ranger; false: use user-to-groups mappings from Apache Ranger and Trino. Default: false</description>
          </property>

          <property>
            <name>ranger.plugin.trino.super.users</name>
            <value></value>
            <description>Comma separated list of user names. Superusers will be authorized for all accesses, without requiring explicit policy grants.</description>
          </property>

          <property>
            <name>ranger.plugin.trino.super.groups</name>
            <value></value>
            <description>Comma separated list of group names. Users in supergroups will be authorized for all accesses, without requiring explicit policy grants</description>
          </property>
        </configuration>
      ranger-trino-audit.xml: |
        <?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
        <configuration xmlns:xi="http://www.w3.org/2001/XInclude">
          <property>
            <name>xasecure.audit.is.enabled</name>
            <value>false</value>
            <description>Boolean flag to specify if the plugin should generate access audit logs. Default: true</description>
          </property>

          <property>
            <name>xasecure.audit.solr.is.enabled</name>
            <value>false</value>
            <description>Boolean flag to specify if audit logs should be stored in Solr. Default: false</description>
          </property>

          <property>
            <name>xasecure.audit.solr.solr_url</name>
            <value></value>
            <description>URL to Solr deployment where the plugin should send access audits to</description>
          </property>
        </configuration>

@epheatt
Copy link
Author

epheatt commented Dec 13, 2024

This is caused by

this.setLastKnownActiveUrlIndex((new Random()).nextInt(this.getConfiguredURLs().size()));

being called with an empty list. it seems like a misconfiguration issue.

What is the origin of the if not ASM?

java.lang.IllegalArgumentException: Unsupported class file major version 67

@wendigo
Copy link
Contributor

wendigo commented Dec 13, 2024

@epheatt this is irrelevant part of the log. Used only to augment logging with the code line of the guice binding that failed

@lozbrown
Copy link
Contributor

lozbrown commented Dec 14, 2024
edited
Loading

@epheatt

I think you need

ranger.plugin.config.resource=/etc/trino/ranger-trino-security.xml,/etc/trino/ranger-trino-audit.xml

That's what's working for me with trino 466

Did you mean 433 in your message above or do you actually mean 466

Any chance you could share your helm chart for ranger somewhere?

@epheatt
Copy link
Author

epheatt commented Dec 16, 2024

@epheatt

I think you need

ranger.plugin.config.resource=/etc/trino/ranger-trino-security.xml,/etc/trino/ranger-trino-audit.xml

That's what's working for me with trino 466

Did you mean 433 in your message above or do you actually mean 466

Any chance you could share your helm chart for ranger somewhere?

I'm using a self built container for 433 with Ranger 2.4.0 plugin patches to get it working with a Ranger container and chart based on the mr3project https://github.com/mr3project/mr3-run-k8s/tree/master/kubernetes/helm/ranger. Using the ranger.plugin.config.resource property instead of ranger.hadoop.config.resource solved the lookup issues.

ranger.plugin.config.resource=/etc/trino/ranger-trino-security.xml,/etc/trino/ranger-trino-audit.xml,/etc/trino/ranger-policymgr-ssl.xml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wendigo @epheatt @ebyhr @lozbrown