Ranger
Important | |
---|---|
Hortonworks strongly recommends that all users running HDP 2.3.4 upgrade to HDP 2.3.4.7. |
HDP 2.3.4 provides Ranger 0.5.0 and the following Apache patches:
RANGER-246: Need to update the current implementation for recent changes in Kafka.
RANGER-526: Provide REST API to change user role.
RANGER-586: Ranger plugins should not add dependent libraries to component's CLASSPATH.
RANGER-590: Escape spaces in the user and group names which are part of rest call URI in UserSync process.
RANGER-602: Solr client in SolrCloud mode should work with zookeeper settings also.
RANGER-607: Unable to create multiple policyItems for same user or group.
RANGER-608: Denied access to list a directory does not generate audit.
RANGER-652: LDAP configuration tool.
RANGER-656: Ranger UI - KMS Need to handle 404 error when clicked on breadcrumb.
RANGER-658: Package ranger_credential_helper.py with Ranger Usersync assembly.
RANGER-661: Plugin receives empty policy list though the service has policies.
RANGER-663: Race condition during policy update causes policy to get in an bad state.
RANGER-664: Ranger PolicyRefresh REST Client timeout parameter should be configurable.
RANGER-665: ranger.ldap.ad.referral property is not getting updated in RANGER-admin-site.xml.
RANGER-666: Ranger to support Azure SQL Database.
RANGER-671: Add support to retrieve permissions for the logged in user from UserSession rather going to database every time.
RANGER-673: Setup changes to allow Ranger service to installed using custom service user.
RANGER-674: Ranger public rest api gives 200 response for wrong credential instead of 401.
RANGER-677: Ranger Admin fails to render policies referring to groups that contain "." in name.
RANGER-680: Remove public group by default in default policy for KMS repo.
RANGER-681: Update default sync intervals for LDAP and UNIX.
RANGER-682: Ranger to support Azure Blob Datastore as an audit destination via HDFS audit handler.
RANGER-684: Ranger Usersync - Add Ability to transform user/group names.
RANGER-687: after each 30 seconds audit is getting updated in plugin tab.
RANGER-688: Handle scenario where ids of XUser and XPortalUser are not in sync.
RANGER-697: KeyAdmin role user should see only KMS related audit access logs in Audit tab.
RANGER-700: Provide a wrapper shell script to run the FileSourceUserGroupBuilder process.
RANGER-701: Update setup scripts to allow special characters in passwords.
RANGER-702: Optimize policy download performance.
RANGER-705: Ranger Usersync should provide summary logs on the sync progress instead of not logging any details after 2000 users.
RANGER-706: Optimize audit db upgrade patches to minimize timeout issues.
RANGER-712: Create a new project which can serve as a template to write ranger extensions.
RANGER-713: Knox-plugin failed to enable after plugin modification for not to add dependent libraries to component's CLASSPATH.
RANGER-714: Enhancements to the db admin setup scripts.
RANGER-715: Fix issues reported by coverity test in Ranger Plugin ClassLoader.
RANGER-717: Hive and HBase ranger plugin Audit to DB failed to log after plugin modification for not to add dependent libraries to component's CLASSPATH.
RANGER-720: Ldap discovery tool doesn't seem to be working as expected.
RANGER-724: AuditBatchQueue: prevQueueSize not recomputed after initial assignment - static code analyzer flagged issue.
RANGER-725: Add the right .gitignore file to the newly projects so that directory listing is clean after a build.
RANGER-727: Knox Plugin failed to AuditToSpool file when Audit Destination is down.
RANGER-731: Ranger plugin for YARN doesn't seem to be able to write audit to Kerberized HDFS.
RANGER-733: Implement best coding practices to resolve issues found during code scan.
RANGER-739: Ranger HBase Plugin returning null for RegionObserver.preCompact calls causing HBase:ACL issue.
RANGER-740: Kafka Authorizer interface has added close() method. Ranger should also implement it.
RANGER-741: Fix installation script to skip Audit DB password check if audit source is SOLR.
RANGER-742: Ranger usersync fails after syncing 500 users from AD or ldap server when paged results is enabled.
RANGER-743: External users with Admin Role should be allowed to create/update users.
RANGER-744: Kafka Authorizer has updated how IP/Host is passed.
RANGER-745: Upgrade Apache commons-collections.
RANGER-747: RangerAdmin is considering "none" as valid ZK Host Name for Solr.
RANGER-748: Users in policy got changed after upgrade.
RANGER-749: Ranger KMS to support multiple KMS instances with keys across multiple clusters.
RANGER-754: Ranger YARN Plugin lookup and test connection should support SPENGO enabled HTTP Authentication.
RANGER-755: ldap run.sh script fails since auth directory does not exist.
RANGER-756: LdapTool fails with -r option to retrieve only users/group/all.
RANGER-757: [LDAP tool] authentication fails if use -d option to search only users.
RANGER-758: Handle special characters in passwords starting from -r.
RANGER-761: Transaction logs not getting generated under audit menu admin tab if policy name is changed.
RANGER-766: Yarn Plugin Config hadoop.security.authentication should be non-mandatory with default value.
RANGER-767: Refactor UserGroupSink implementation and consolidate performance improvements.
HDP 2.3.2 provided Ranger 0.5.0 and the following Apache patches:
RANGER-551 Policy Validation: If resource levels are not valid for any hierarchy then checks about missing mandatory levels should be skipped
BUG FIXES
RANGER-560 Policy validation: Provide user friendly error messages about validation failures
RANGER-580 HBase plugin: Plugin may not work after upgrade
RANGER-584 Service validation: Provide user friendly error messages about validation failures
RANGER-587 ranger-admin-site.xml not getting updated when ranger.authentication.method is changed
RANGER-588 Take care of Ranger KMS installation even if 'java' is not in PATH
RANGER-593 Service def validation: Provide user friendly error messages about validation failures
RANGER-594 Policy Validation: Change the logic to generate friendly error messages to be like used for Service and Service def
RANGER-598 Update Ranger config migration script to work with Ranger 0.5
RANGER-615 Audit to db: Truncate all string values of audit record so that writing of audit does not fail
RANGER-618 KMS gets slower in key creation once Database grows
RANGER-621 Solr service-def JSON has incorrect impliedGrants for solr_admin permission
RANGER-622 Hive plugin: Add jar via beeline throws NPE
RANGER-623 Enable plugin scripts should handle file permissions for certain umask value
RANGER-624 Windows installation broken after SQLAnywhere support
RANGER-625 Change db flavor input parameter value from SQLAnywhere to SQLA
RANGER-627 Processing done by Audit Shutdown hooks can confuse someone looking at logs to think that shutdown of a service is held up due to Ranger plugin
RANGER-628 Make filters for ranger-admin search binds configurable
RANGER-630 Data consistency across API and UI
RANGER-632 Policy validation error messages produced by the server are not seen by the user
RANGER-637 Make REFERRAL property in Ranger User sync configurable
RANGER-638 Ranger admin should redirect back to login page when session cookies expires
RANGER-639 Storm plugin - commons-lang is a required dependency and hence should be packaged as part of storm plugin
RANGER-641 Ranger kms start fails if java is not set and started using service keyword
RANGER-642 Update USERSEARCHFILTER for Ranger Authentication on Windows
RANGER-653 Move delegated admin check to mgr layer from service layer for XPermMap and XAuditMap
HDP 2.3.0 provided Ranger 0.5.0 and the following Apache patches:
RANGER-422 Add additional database columns to support aggregation
RANGER-423 Support audit log aggregation in Ranger Admin UI
RANGER-513 Policy validation: resource hierarchies check does not work with single-node hierarchies as in HDFS
RANGER-551 Policy Validation: If resource levels are not valid for any hierarchy then checks about missing mandatory levels should be skipped.
RANGER-564 Add incubating to the release name
BUG FIXES
RANGER-219 Autocomplete behavior of hive tables/columns
RANGER-524 HBase plugin: list command should prune the tables returned on user permissions
RANGER-529 Policy Validation: resources of a policy must match one of the resource hierarchies of the service def.
RANGER-533 HBase plugin: if user does not have family-level access to any family in a table then user may be incorrectly denied access done at table/family level during get or scan
RANGER-539 Rolling downgrade changes
RANGER-545 Fix js error for lower versions of FF (less than 30)
RANGER-548 Key rollover command fails
RANGER-550 Hive plugin: Add audit logging support for metadata queries that have filtering support from hive
RANGER-553 Default policy creation during service creation should handle service defs with multiple hierarchies, e.g. hive, properly
RANGER-554 Ranger KMS keys listing page does not support pagination
RANGER-555 Policy view page (from access audit page) gives 404 with Oracle DB
RANGER-558 HBase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit
RANGER-565 Ranger Admin install fails (sometimes) with IO Error when DB used in Oracle
RANGER-566 Installation of Ranger on Oracle 12c with shared database needs to use private synonym instead of public synonym
RANGER-569 Enabling Ranger plugin for HBase should not modify hbase.rpc.protection value
RANGER-570 Knox plugin: after upgrading ranger from 0.4 to 0.5 the Knox plugin won't work because classes with old names are missing
RANGER-571 Storm plugin: after upgrading ranger from 0.4 to 0.5 the plugin won't work because classes with old names are missing
RANGER-575 Allow KMS policies to be assigned to all users
RANGER-576 Storm audit not showing access type in the Ranger Admin Audit UI
HDP CHANGES
RANGER-450 Failed to install Ranger component due to Ranger policyManager script failures