Feature Request: Ranger authorization integration

[HariSekhon]

Feature Request to add Apache Ranger integration support for Presto.

This will solve authorization very nicely for most people who are running the widely used standard open source Hortonworks Hadoop platform and provide granular access controls down to the column level, as well as integrating to the single-pane-of-glass for security configuration and auditing across all data access components on a Hadoop cluster.

Also, is there any chance this project could go in to the Apache Foundation? I think this combined with Ranger integration would massively increase Presto's market, especially if Hortonworks were to adopt it (they usually require their integrated components to be in the Apache Foundation).

Great work so far on this distributed SQL engine btw! :)

[HariSekhon]

This could perhaps piggy back to use Hive policies in Ranger or else copy what Hive has to a separately managed policy for Presto. There are trade-offs to both styles, so perhaps make this a configurable user choice.

[illion20]

I am trying to implement authorization for any connector. For that to work I need to access the resources (columns etc) for the connector. I have been trying to find where in the source you have access to the connector metadata (tables, columns, connection detail etc) and the query information before execution and it seems all of this is available to you in the SQLQueryExecution class in the start function.

https://github.com/prestodb/presto/blob/master/presto-main/src/main/java/com/facebook/presto/execution/SqlQueryExecution.java

After you have analyzed the query and gotten all the connector handles.

Would this be a good place to perform an authorization check if we can access the necessary resources (column granularity). It feels like its too late in the Presto process to reject a request but who knows. Anyone who can point me in the right direction?

Thank you

[mwacc]

any updates or plans where integration will be completed?

[RameshByndoor]

Hi,
I could add a plugin to presto with Ranger(Registered presto as new ranger service with catalog->schema->table->column as resources) and all those methods implemented from SystemAccessControl are working fine.
I would need to refractor and would like to bring it to here.

Need some help with addressing column level security:
Does com.facebook.presto.sql.analyzer.StatementAnalyzer has any placeholder for identifying column resources used in query to apply column level security check.? Currently i am looking at this method
analyzeSelect( https://github.com/prestodb/presto/blob/master/presto-main/src/main/java/com/facebook/presto/sql/analyzer/StatementAnalyzer.java#L1710

Any hint around this area would be much appreciated.

[kokosing]

What about using https://github.com/prestodb/presto/blob/master/presto-spi/src/main/java/com/facebook/presto/spi/security/SystemAccessControl.java#L221

[RameshByndoor]

Thanks @kokosing. that helps. My bad I was checking with v201.
Need a clarification on Set<String> columnNames passed to checkCanSelectFromColumns method.
For the below query, I'm expecting object_name alone in columnNames. but as of now it's object_name_alias and object_name. Can this be filtered with the help of metadata in AccessControlManager before making call.

select object_name as object_name_alias from "java.lang:type=memory" mem;

https://github.com/prestodb/presto/blob/master/presto-main/src/main/java/com/facebook/presto/security/AccessControlManager.java#L598

[kokosing]

To me it sounds like a bug?

CC: @rschlussel2 Is this expected?

[tooptoop4]

@RameshByndoor can u share the code?

[kokosing]

@RameshByndoor Are you going to base your work on top of #10904?

[rschlussel]

@RameshByndoor can you give an example query where you're seeing the alias and object name. I can take a look.

[RameshByndoor]

@rschlussel2 you can use simple command as select object_name as object_name_alias from "jmx.current.java.lang:type=memory";
& you can catch this getting called from here. https://github.com/prestodb/presto/blob/master/presto-main/src/main/java/com/facebook/presto/security/AccessControlManager.java#L598

[RameshByndoor]

@rschlussel can you help me with the above.? Is it expected or how to patch it.?

[InfyNord]

I want to implement ranger plugin for presto .. could you please point to the branch which I can refer and clone and test

[shubhamtagra]

@RameshByndoor are you working on this actively? We have a need to add this support and were planning to take up this work up unless someone else is already working on it. Please let me know.

[shubhamtagra]

@RameshByndoor the issue you mentioned does seem like a bug and is easily reproducible. While @rschlussel is looking at it you can unblock by filtering columns which are not identifiers, something like this in Analyzer.analyze:

+        List<String> identifiers = analysis
+                .getColumnReferences()
+                .stream()
+                .filter(nodeRef -> nodeRef.getNode() instanceof Identifier)
+                .map(nodeRef -> ((Identifier) nodeRef.getNode()).getValue())
+                .collect(Collectors.toList());
         analysis.getTableColumnReferences().forEach((accessControlInfo, tableColumnReferences) ->
                 tableColumnReferences.forEach((tableName, columns) ->
                         accessControlInfo.getAccessControl().checkCanSelectFromColumns(
                                 session.getRequiredTransactionId(),
                                 accessControlInfo.getIdentity(),
                                 tableName,
-                                columns)));
+                                columns.stream().filter(column -> identifiers.contains(column)).collect(Collectors.toSet()))));

[rschlussel]

Thanks for the reminder- I'd forgotten about this. I just put up a PR to fix it #11295

[RameshByndoor]

@stagraqubole The code is similar in both the cases. Its a matter of where we plug it.
According to me the trade off between SystemAccessControl and ConnectorAccessControl is .

SystemAccessControl would work regardless of all the underlying connectors of presto. Policies will be maintained under presto service in Ranger making presto as a main query engine.
Using ConnectorAccessControl can make use of the existing policies defined. This helps presto be a parallel query engine which points to existing policies. For eg hive policies defined in ranger.
Another point about using ConnectorAccessControl is, with multiple connectors enabled then multiple Policy engines of ranger will be created, which are inherently heavy(As per https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=53741207).

[shubhamtagra]

Taking example of Hive connector which would be the biggest consumer of Ranger support, doing it in SystemAccessControl would mean that you will maintain two Ranger policies now: one for Hive and one for Presto which would get difficult to maintain. Doing it in ConnectorAccessControl allows a single Policy holder in Ranger and that would be the one created for Hive, very similar to having SqlStandardAccessControl as ConnectorAccessControl rather than SystemAccessControl.

[nmadhire]

@rschlussel Does your PR fix #11295 has a support for Ranger in Presto now?

[rschlussel]

no. it unblocks @RameshByndoor who is working on adding support.

[saravsathyamoorthy]

im interested in this ranger plugin for presto.. can you give some branch which i can take and try to test

[RameshByndoor]

We are on test cases nd other sanity checks, Not yet ready to PR.

[gray-eb]

Any update on timeline? I appreciate the work you've done for this plugin. Would love to get my hands on it.

[cryptoe]

https://docs.google.com/document/d/1Jtapmwkp1Up_w6w_3dUeOXfLPLRAsglbqoIWNRG-NJM/edit#

This is what me and @RameshByndoor have done. We are testing the code at this moment. I can't commit any hard timelines but we should be in a state to release it next week.

We have also handled #10996 as part of the ranger presto integration.

Features supported :

1. Multiple catalog support
2. Able to reuse existing policies
3. Row based + Column based filters supported

[gray-eb]

This may not be the best place for a question, but given the lack of support for this specific feature, I figured I'll give it a shot.

@cquptEthan or any one else? Have you gotten SSL working with this custom plugin? We don't have the CredentialProvider API setup for keystore passwords, and I'm at a loss on how to get this working without it.

From what I can tell, the properties I need to have available with an https Ranger endpoint are:
xasecure.policymgr.clientssl.keystore=
xasecure.policymgr.clientssl.truststore=
xasecure.policymgr.clientssl.keystore.credential.file=
xasecure.policymgr.clientssl.truststore.credential.file=

The plugin then expects a value for hadoop.security.credential.provider.path to interrogate the CredentialProvider API for a password of the keystore/truststore based on the last two properties above. Is this understanding correct? How can I get around using the CredentialProvider API?

[x90004942]

@x90004942 I apologize it seems that with a different invocation some extra jars are needed in the plugin directory (plugin/ranger/ranger-impl). You can just pick those up and add them and it will start to work:

commons-codec commons-codec-1.12
com.kstruct gethostname4j-0.0.3
com.sun jna-3.0.9.jar

I will update the plugin in Ranger to add those.

thank you
I have put these jar into directory ranger-impl, like below. but I also got the same error.
is there anything I did wrong?

ll direcotry:

root@slave3:/opt/presto316/presto-server-316-SNAPSHOT/plugin/ranger/ranger-presto-plugin-impl# ll
total 30284
drwxr-xr-x 3 root root 4096 Jun 27 10:13 ./
drwxr-xr-x 3 root root 4096 Jun 25 11:30 ../
-rwsrwsrwt 1 1003 1002 41123 Nov 26 2018 commons-cli-1.2.jar*
-rwsrwsrwt 1 root root 2107981 Jun 27 09:59 commons-codec-1.12-bin.tar.gz*
-rwsrwsrwt 1 root root 339669 Jun 27 10:13 commons-codec-1.12.jar*
-rwsrwsrwt 1 root root 489179 Jun 27 10:13 commons-codec-1.12-javadoc.jar*
-rwsrwsrwt 1 root root 344285 Jun 27 10:13 commons-codec-1.12-sources.jar*
-rwsrwsrwt 1 root root 290302 Jun 27 10:13 commons-codec-1.12-tests.jar*
-rwsrwsrwt 1 root root 194732 Jun 27 10:13 commons-codec-1.12-test-sources.jar*
-rwsrwsrwt 1 1003 1002 588337 Nov 30 2018 commons-collections-3.2.2.jar*
-rwsrwsrwt 1 1003 1002 616888 Nov 30 2018 commons-configuration2-2.1.1.jar*
-rwsrwsrwt 1 1003 1002 208700 Nov 27 2018 commons-io-2.5.jar*
-rwsrwsrwt 1 1003 1002 284220 Nov 26 2018 commons-lang-2.6.jar*
-rwsrwsrwt 1 1003 1002 61829 Nov 30 2018 commons-logging-1.2.jar*
drwxr-xr-x 2 root root 4096 Jun 25 16:08 conf/
-rwsrwsrwt 1 1003 1002 8632395 Nov 30 2018 eclipselink-2.5.2.jar*
-rwsrwsrwt 1 root root 4202 Jun 27 09:59 gethostname4j-0.0.3.jar*
-rwsrwsrwt 1 1003 1002 190432 Nov 30 2018 gson-2.2.4.jar*
-rwsrwsrwt 1 root root 138309 Jun 20 14:29 hadoop-auth-3.1.1.jar*
-rwsrwsrwt 1 root root 4034318 Jun 20 14:29 hadoop-common-3.1.1.jar*
-rwsrwsrwt 1 1003 1002 1502280 Nov 30 2018 htrace-core4-4.1.0-incubating.jar*
-rwsrwsrwt 1 1003 1002 747794 Nov 30 2018 httpclient-4.5.3.jar*
-rwsrwsrwt 1 1003 1002 323824 Nov 30 2018 httpcore-4.4.6.jar*
-rwsrwsrwt 1 1003 1002 41029 Nov 30 2018 httpmime-4.5.3.jar*
-rwsrwsrwt 1 1003 1002 232248 Nov 26 2018 jackson-core-asl-1.9.13.jar*
-rwsrwsrwt 1 1003 1002 18336 Nov 30 2018 jackson-jaxrs-1.9.13.jar*
-rwsrwsrwt 1 1003 1002 780664 Nov 26 2018 jackson-mapper-asl-1.9.13.jar*
-rwsrwsrwt 1 1003 1002 27075 Dec 7 2018 jackson-xc-1.9.2.jar*
-rwsrwsrwt 1 1003 1002 162126 Nov 30 2018 javax.persistence-2.1.0.jar*
-rwsrwsrwt 1 1003 1002 1621691 Nov 30 2018 jersey-bundle-1.19.3.jar*
-rwsrwsrwt 1 1003 1002 436689 Nov 30 2018 jersey-core-1.19.jar*
-rwsrwsrwt 1 root root 165345 Jun 20 14:29 jersey-json-1.19.jar*
-rwsrwsrwt 1 root root 702882 Jun 20 14:29 jersey-server-1.19.jar*
-rwsrwsrwt 1 root root 795871 Jun 27 09:59 jna-3.0.9.jar*
-rwsrwsrwt 1 root root 27948 Jun 20 14:30 noggit-0.8.jar*
-rw-r--r-- 1 root root 196377 Jun 21 11:56 ranger-plugins-audit-2.0.0-SNAPSHOT.jar
-rw-r--r-- 1 root root 768440 Jun 21 11:56 ranger-plugins-common-2.0.0-SNAPSHOT.jar
-rw-r--r-- 1 root root 12157 Jun 21 11:56 ranger-plugins-cred-2.0.0-SNAPSHOT.jar
-rwxr--r-- 1 root root 10476 Jun 25 16:07 ranger-presto-audit.xml*
-rw-r--r-- 1 root root 46186 Jun 21 11:58 ranger-presto-plugin-2.0.0-SNAPSHOT.jar
-rwxr--r-- 1 root root 2657 Jun 25 16:07 ranger-presto-security.xml*
-rwsrwsrwt 1 root root 2001986 Jun 20 14:30 solr-solrj-7.7.1.jar*
-rwsrwsrwt 1 1003 1002 161867 Nov 30 2018 stax2-api-3.1.4.jar*
-rwsrwsrwt 1 1003 1002 512742 Nov 30 2018 woodstox-core-5.0.3.jar*
-rwsrwsrwt 1 root root 911603 Jun 20 14:30 zookeeper-3.4.14.jar*

error:
2019-06-27T10:17:42.393+0800 INFO Ranger async Audit cleanup org.apache.ranger.audit.provider.AuditProviderFactory RangerAsyncAuditCleanup: Waiting to audit cleanup start signal
2019-06-27T10:17:42.396+0800 INFO main org.apache.ranger.plugin.service.RangerBasePlugin PolicyEngineOptions: { evaluatorType: auto, evaluateDelegateAdminOnly: false, disableContextEnrichers: false, disableCustomConditions: false, disableTagPolicyEvaluation: false, enableTagEnricherWithLocalRefresher: false, disableTrieLookupPrefilter: false, optimizeTrieForRetrieval: false, cacheAuditResult: false }
2019-06-27T10:17:42.455+0800 ERROR main io.prestosql.server.PrestoServer Unable to create injector, see the following errors:

1. Error injecting constructor, java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
   at org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControl.(RangerSystemAccessControl.java:40)
   at org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControlFactory.lambda$create$0(RangerSystemAccessControlFactory.java:45)
   while locating org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControl

1 error
com.google.inject.CreationException: Unable to create injector, see the following errors:

1. Error injecting constructor, java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
   at org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControl.(RangerSystemAccessControl.java:40)
   at org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControlFactory.lambda$create$0(RangerSystemAccessControlFactory.java:45)
   while locating org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControl

1 error
at com.google.inject.internal.Errors.throwCreationExceptionIfErrorsExist(Errors.java:543)
at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:186)
at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:109)
at com.google.inject.Guice.createInjector(Guice.java:87)
at io.airlift.bootstrap.Bootstrap.initialize(Bootstrap.java:240)
at org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControlFactory.create(RangerSystemAccessControlFactory.java:53)
at io.prestosql.security.AccessControlManager.setSystemAccessControl(AccessControlManager.java:142)
at io.prestosql.security.AccessControlManager.loadSystemAccessControl(AccessControlManager.java:122)
at io.prestosql.server.PrestoServer.run(PrestoServer.java:138)
at io.prestosql.server.PrestoServer.main(PrestoServer.java:70)
Caused by: java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
at org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControl.(RangerSystemAccessControl.java:56)
at org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControl$$FastClassByGuice$$ec9f475b.newInstance()
at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:89)
at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91)
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306)
at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168)
at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39)
at com.google.inject.internal.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:211)
at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:182)
... 8 more
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControl.(RangerSystemAccessControl.java:54)
... 18 more
Caused by: java.lang.UnsatisfiedLinkError: Unable to load library 'c': /usr/lib/x86_64-linux-gnu/libc.so: invalid ELF header
at com.sun.jna.NativeLibrary.loadLibrary(NativeLibrary.java:145)
at com.sun.jna.NativeLibrary.getInstance(NativeLibrary.java:188)
at com.sun.jna.Library$Handler.(Library.java:123)
at com.sun.jna.Native.loadLibrary(Native.java:255)
at com.sun.jna.Native.loadLibrary(Native.java:241)
at com.kstruct.gethostname4j.Hostname$UnixCLibrary.(Hostname.java:12)
at com.kstruct.gethostname4j.Hostname.getHostname(Hostname.java:30)
at org.apache.ranger.plugin.util.RangerRESTUtils.(RangerRESTUtils.java:74)
at org.apache.ranger.admin.client.RangerAdminRESTClient.(RangerAdminRESTClient.java:58)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at java.lang.Class.newInstance(Class.java:442)
at org.apache.ranger.plugin.service.RangerBasePlugin.createAdminClient(RangerBasePlugin.java:597)
at org.apache.ranger.plugin.service.RangerBasePlugin.init(RangerBasePlugin.java:233)
at org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControl.(RangerSystemAccessControl.java:84)
... 23 more

[bolkedebruin]

Its not the same:
Caused by: java.lang.UnsatisfiedLinkError: Unable to load library 'c': /usr/lib/x86_64-linux-gnu/libc.so: invalid ELF header

This you need to fix yourself as that is not an issue with the plug-in but an is errot

[x90004942]

thank you very much . i have solved this problem by putting A right libc.so into this directory.
now I can see my presto plugin in the Ranger web -- Audit--Plugins page , whose status is 200：)

then i add a service prestodev, using jdbc:presto://10.183.243.83:8090. when I test the connection , i got another error :

Connection Failed.
Unable to retrieve any files using given parameters, You can still save the repository and start creating policies, but you would not be able to use autocomplete for resource names. Check ranger_admin.log for more info.

org.apache.ranger.plugin.client.HadoopException: Unable to connect to Presto instance.. 
Unable to connect to Presto instance.. 
Authentication using username/password requires SSL to be enabled.

my presto server is configured with SSL. and i can access presto by ./presto_cli --server https://slave3.example.com:9090 --catalog mysql --schema population --truststore-path /opt/presto-public.store --truststore-password XXX123 --user root --password

so how can I configure Ranger with SSL? and also i can not find the file ranger_admin.log

[dsjoegeo]

Could you please tell us which version of horton on which it worked.we get a facebook spi not found error when we add ranger plugin in prest

[dsjoegeo]

We are getting errors on the same lines as the one posted above by x90004942 commented on Jul 2
Connection Failed.
Unable to retrieve any files using given parameters, You can still save the repository and start creating policies, but you would not be able to use autocomplete for resource names. Check ranger_admin.log for more info.
We got test connection failed.
We also tried to search the ranger_admin.log without any sucess.
Any help would be really appreciated.

[andy12383]

@dsjoegeo
in my environment , I configured presto wtih ranger and LDAP with https enabled. you can refer to the official website.
the problem I encountered was that , in the Config Properties in ranger admin webpage, I input a wrong port into jdbc.url (jdbc:presto://10.183.163.138:9090). 9090 is the secure port for https.
then I change the port to 8080 which is my unsecured port. it works .test connection successfully

[shekarrreddy568-zz]

Hey I have implemented prestodb integration with Ranger successfully in my environment

[brucemen711]

Hi all, Is this thread still active ?

[bolkedebruin]

No?

[KentonParton]

@shekarrreddy568 would you mind sharing the environment you used to test the ranger integration?

[shekarrreddy568-zz]

hey , Currently i am on vacation, can be able to help after 10 days.

…

On Fri, Mar 20, 2020, 7:28 AM Kenton Parton ***@***.***> wrote: @shekarrreddy568 <https://github.com/shekarrreddy568> would you mind sharing the environment you used to test the ranger integration? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#8980 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALI7QXELTZQ2OD6O5A62SLLRILETPANCNFSM4D3CREYA> .

[KentonParton]

@shekarrreddy568 That would be great, thank you!

[KentonParton]

Is this documentation still up to date? https://cwiki.apache.org/confluence/display/RANGER/Presto+Plugin

If not, would someone mind providing a link please. Thank you!

[serkef]

@shekarrreddy568 We would appreciate a summary of your environment

[aweisberg]

@shekarrreddy568-zz @shekarreddy568 taking a gamble here on whether you are reachable? Still wondering if you can share your experience with using Ranger.

[ashishtadose]

@aweisberg
I'm working on the connector access control implementation for ranger authorization.
Here is the proposed design.

[exolab]

Is anyone still actively working on this?

[ashishtadose]

Yes, I have WIP implementation, will share the PR by sometime next week.

[sridhartw]

@rohanpednekar Is active development going on for this? When can we expect it to be released tentatively

[rohanpednekar]

@sridhartw, yes we are actively working on this. Subscribe to #15519 for the live updates. Thanks!

[rohanpednekar]

For help with PrestoDB, please join the Presto Community Slack channel at https://prestodb.slack.com.

[datainteg]

ERROR main io.trino.server.Server Unable to create injector, see the following errors:

1. [Guice/ErrorInjectingConstructor]: RuntimeException: InvocationTargetException
   at RangerSystemAccessControl.(RangerSystemAccessControl.java:38)
   at RangerSystemAccessControlFactory.lambda$create$0(RangerSystemAccessControlFactory.java:45)
   while locating RangerSystemAccessControl

Learn more:
https://github.com/google/guice/wiki/ERROR_INJECTING_CONSTRUCTOR

1 error

======================
Full classname legend:

InvocationTargetException: "java.lang.reflect.InvocationTargetException"
RangerSystemAccessControl: "org.apache.ranger.authorization.trino.authorizer.RangerSystemAccessControl"
RangerSystemAccessControlFactory: "org.apache.ranger.authorization.trino.authorizer.RangerSystemAccessControlFactory"

End of classname legend:

com.google.inject.CreationException: Unable to create injector, see the following errors:

1. [Guice/ErrorInjectingConstructor]: RuntimeException: InvocationTargetException
   at RangerSystemAccessControl.(RangerSystemAccessControl.java:38)
   at RangerSystemAccessControlFactory.lambda$create$0(RangerSystemAccessControlFactory.java:45)
   while locating RangerSystemAccessControl

Learn more:
https://github.com/google/guice/wiki/ERROR_INJECTING_CONSTRUCTOR

1 error

======================
Full classname legend:

InvocationTargetException: "java.lang.reflect.InvocationTargetException"
RangerSystemAccessControl: "org.apache.ranger.authorization.trino.authorizer.RangerSystemAccessControl"
RangerSystemAccessControlFactory: "org.apache.ranger.authorization.trino.authorizer.RangerSystemAccessControlFactory"

End of classname legend:

    at com.google.inject.internal.Errors.throwCreationExceptionIfErrorsExist(Errors.java:576)
    at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:190)
    at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:113)
    at com.google.inject.Guice.createInjector(Guice.java:87)
    at io.airlift.bootstrap.Bootstrap.initialize(Bootstrap.java:262)
    at org.apache.ranger.authorization.trino.authorizer.RangerSystemAccessControlFactory.create(RangerSystemAccessControlFactory.java:53)
    at io.trino.security.AccessControlManager.createSystemAccessControl(AccessControlManager.java:182)
    at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
    at java.base/java.util.Collections$2.tryAdvance(Collections.java:4853)
    at java.base/java.util.Collections$2.forEachRemaining(Collections.java:4861)
    at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
    at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
    at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
    at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
    at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
    at io.trino.security.AccessControlManager.loadSystemAccessControl(AccessControlManager.java:151)
    at io.trino.server.Server.doStart(Server.java:157)
    at io.trino.server.Server.lambda$start$0(Server.java:88)
    at io.trino.$gen.Trino_403_amzn_0____20240626_061636_1.run(Unknown Source)
    at io.trino.server.Server.start(Server.java:88)
    at io.trino.server.TrinoServer.main(TrinoServer.java:38)

Caused by: java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
at org.apache.ranger.authorization.trino.authorizer.RangerSystemAccessControl.(RangerSystemAccessControl.java:61)
at org.apache.ranger.authorization.trino.authorizer.RangerSystemAccessControl$$FastClassByGuice$$1462595.GUICE$TRAMPOLINE()
at org.apache.ranger.authorization.trino.authorizer.RangerSystemAccessControl$$FastClassByGuice$$1462595.apply()
at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:82)
at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:33)
at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:98)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:109)
at io.airlift.bootstrap.LifeCycleModule.provision(LifeCycleModule.java:54)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:117)
at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:66)
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:93)
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:300)
at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:169)
at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:45)
at com.google.inject.internal.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:213)
at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:186)
... 19 more
Caused by: java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
at org.apache.ranger.authorization.trino.authorizer.RangerSystemAccessControl.(RangerSystemAccessControl.java:59)
... 36 more
Caused by: java.lang.IllegalArgumentException: bound must be positive
at java.base/java.util.Random.nextInt(Random.java:322)
at org.apache.ranger.plugin.util.RangerRESTClient.(RangerRESTClient.java:122)
at org.apache.ranger.admin.client.RangerAdminRESTClient.init(RangerAdminRESTClient.java:666)
at org.apache.ranger.admin.client.RangerAdminRESTClient.init(RangerAdminRESTClient.java:125)
at org.apache.ranger.plugin.policyengine.RangerPluginContext.createAdminClient(RangerPluginContext.java:108)
at org.apache.ranger.plugin.util.PolicyRefresher.(PolicyRefresher.java:95)
at org.apache.ranger.plugin.service.RangerBasePlugin.init(RangerBasePlugin.java:242)
at org.apache.ranger.authorization.trino.authorizer.RangerSystemAccessControl.(RangerSystemAccessControl.java:107)
... 42 more

2024-06-26T06:16:53.690Z INFO Thread-100 io.airlift.bootstrap.LifeCycleManager JVM is shutting down, cleaning up
2024-06-26T06:16:53.691Z INFO Thread-102 io.airlift.bootstrap.LifeCycleManager JVM is shutting down, cleaning up
2024-06-26T06:16:53.691Z INFO Thread-98 io.airlift.bootstrap.LifeCycleManager JVM is shutting down, cleaning up
2024-06-26T06:16:53.691Z INFO Thread-102 io.airlift.bootstrap.LifeCycleManager Life cycle stopping...
2024-06-26T06:16:53.691Z INFO Thread-100 io.airlift.bootstrap.LifeCycleManager Life cycle stopping...