Release Notes
Also available as:
PDF

Ranger

This release provides Ranger 0.7.0 and the following Apache patches:

  • RANGER-1805: Code improvement to follow best practices in js.

  • RANGER-1937: Ranger tagsync should process ENTITY_CREATE notification, to support Atlas import feature

  • RANGER-1960: Take snapshot's table name into consideration for deletion.

  • RANGER-1982: Error Improvement for Analytics Metric of Ranger Admin and Ranger KMS.

  • RANGER-1984: Hbase audit log records may not show all tags associated with accessed column.

  • RANGER-1988: Fix insecure randomness.

  • RANGER-1990: Add One-way SSL MySQL support in Ranger Admin.

  • RANGER-2006: Fix problems detected by static code analysis in ranger usersync for ldap sync source.

  • RANGER-2008: Policy evaluation is failing for multiline policy conditions.

HDP 2.6.4 provided Ranger 0.7.0 and the following Apache patches:

  • RANGER-1880: TagSync update to process TRAIT_UPDATE notification from Atlas.

  • RANGER-1883: TagSync should reuse kerberos ticket in REST calls to Ranger Admin.

  • RANGER-1897: tagsync update to replace Atlas V1 API usage with Atlas V2 API for tag-download using REST.

HDP 2.6.3 provided Ranger 0.7.0 and the following Apache patches:

  • RANGER-1176: Ranger admin does not allow to create / update a policy with only delegate admin permission.

  • RANGER-1402: NPE if there is a problem with the HiveClient driverClassName.

  • RANGER-1403: There is a problem in buildks class when delete invalid keystore file.

  • RANGER-1408: When the error occurs, the system does not record the error message in RangerServiceService class.

  • RANGER-1415: The ranger can be opened when the user enters http://localhost:6080/ in the browser address bar...

  • RANGER-1427: Remove a lot of not used code - found because Boolean.getBoolean must be wrong.

  • RANGER-1505: Remove KeyProtector code in KMS.

  • RANGER-1632: Users are not sync'd when sAMAccountName is different than CN associated with groups.

  • RANGER-1674: IMPORT START audit is not appearing on audit page.

  • RANGER-1676: Policy Details popup from Access audit page not displaying details of masking policy.

  • RANGER-1682: Clicking on export service after session timeout gets stuck indefinitely.

  • RANGER-1697: Update NiFi service def + handle upgrade scenario for the same.

  • RANGER-1705: Good coding practice in Ranger recommended by static code analysis.

  • RANGER-1715: 'repl dump <database>.<table>' failed to authorize in Ranger.

  • RANGER-1715: Enhance Ranger Hive Plugin to support authorization on Hive replication Tasks.

  • RANGER-1717: User with KEYADMIN role is not able to see Audit => Admin logs.

  • RANGER-1724: On Report listing page for masking/row filter policies show only mask/row filter conditions.

  • RANGER-1726: User are not getting deleted when Knox proxy is Enabled.

  • RANGER-1727: Ranger allows user to change an external user's password with 'null' old password.

  • RANGER-1730: Utility script that will list the users with a given role.

  • RANGER-1735: Support representing nested group memberships in Ranger Admin.

  • RANGER-1736: Good coding practice in Ranger recommended by static code analysis.

  • RANGER-1747: LDAP paged results resets to 500 after fetching first page of results.

  • RANGER-1748: User is unable to update existing policy while importing policy from file.

  • RANGER-1754: correcting group deletion message.

  • RANGER-1756: Handle role related restrictions for users having User role.

  • RANGER-1765: Add unique key constraint in x_group and x_group_users table.

  • RANGER-1771: Improve performance of merging lists of policyEvaluators returned by Trie.

  • RANGER-1779: last resource gets duplicated during update policy if policy is created through public api rest call.

  • RANGER-1783: Update XUserREST for listing users.

  • RANGER-1786: Need warning on external user role change.

  • RANGER-1787: User has to fill up all the allow and deny conditions items to create a knox policy.

  • RANGER-1788: Install Ranger admin failure.

  • RANGER-1795: Service should not be renamed if tagged service resources exist for it unless 'forceRename=true' option is specified.

  • RANGER-1797: Ranger - Upgrade Tomcat version.

  • RANGER-1800: Usersync fails to update users and groups during incremental sync with nested groups and group first search enabled.

  • RANGER-1801: group user mapping updates to ranger admin fail when the mapping is already existed in ranger DB.

  • RANGER-1806: Good coding practice in Ranger recommended by static code analysis.

  • RANGER-1817: Audit to Solr fails to log when the number of columns are in large number.

  • RANGER-1818: Good coding practice in Ranger recommended by static code analysis.

  • RANGER-1819: Not able to delete group that is having special character(ampersand) from ranger admin.

  • RANGER-1820: Address Ranger DB consolidated SQL script inconsistency.

  • RANGER-1820: Duplicate entries should be deleted before creation of unique index on x_group and x_group_users table.

  • RANGER-1825: Ranger Tagsync start is failing.

  • RANGER-1826: Import of bulk policies is causing OOM and Apparent Deadlock.

  • RANGER-1832: Export REST API should return exact matching results if polResource param is provided.

  • RANGER-1834: row filter policies are not being returned by policy search.

  • RANGER-1838: Refactor Jisql dependencies.

  • RANGER-1841: Audit log record for 'use dbName' hive command contains large number of tags.

  • RANGER-1843: Tag enricher performance improvement in identifying tags for resource being accessed.

  • RANGER-1851: Providing authorization for Hive query kill API (RMP-9474).

  • RANGER-1853: Masking functions based on custom masking of string types fails to unescape quotes properly.

HDP 2.6.2 provided Ranger 0.7.0 and the following Apache patches:

  • RANGER-1402: NPE if there is a problem with the HiveClient driverClassName.

  • RANGER-1403: There is a problem in buildks class when delete invalid keystore file.

  • RANGER-1408: When the error occurs, the system does not record the error message in RangerServiceService class.

  • RANGER-1446: Ranger Solr Plugin does not work when the collection list in the request is empty.

  • RANGER-1489: Solr plugin fails to get client address.

  • RANGER-1491: Add Ability in Usersync to automatically assign ADMIN/KEYADMIN role in Ranger for external users.

  • RANGER-1492: UI updates to support tag-based masking policies.

  • RANGER-1493: Policy engine updates to support tag-based datamasking and rowfiltering policies.

  • RANGER-1494: Policy engine updates to support tag-based masking policies.

  • RANGER-1494: Tag service-def updates to support masking and row-filter policies.

  • RANGER-1501: Audit Flush to HDFS does not actually cause the audit logs to be flushed to HDFS.

  • RANGER-1502: Solr shutdown does not cause the audit log file to be flushed and closed.

  • RANGER-1505: Remove KeyProtector code in KMS.

  • RANGER-1555: Ranger UI Audit Menu-> Admin tab diff view pop-up does not come up..

  • RANGER-1580: Update Kafka tests to work with 0.10.1.1.

  • RANGER-1582: Support KNOX SSO Token based authentication on Ranger REST API calls.

  • RANGER-1628: Good coding practice suggested by static code analysis.

  • RANGER-1638: Atlas metadata server start failure.

  • RANGER-1638: Improve the password validation from Ranger API.

  • RANGER-1639: Ranger KMS should validate key name before importing into DB.

  • RANGER-1642: Policies listed on 2nd page and onwards of Policy Landing page don't reflect any edits on them.

  • RANGER-1647: Allow Ranger policy conditions to use tag attributes and values in Ranger.

  • RANGER-1648: Ranger Kafka Plugin now should use the Short name from Kafka Session Object.

  • RANGER-1649: Ranger Solr Plugin fails to refresh policy due to failure in ticket renewal mechanism.

  • RANGER-1651: Improve Ranger and Ranger KMS REST API documentation.

  • RANGER-1653: Proxying Ranger UI does not work with Ranger-KnoxSSO.

  • RANGER-1658: Solr gives NPE while printing the AuthorizationContext in INFO and DEBUG log.

  • RANGER-1661: Default Ranger HDFS policy resource path is wrong.

  • RANGER-1665: provide a way to get list of policies associated with given resource.

  • RANGER-1666: Ranger UI should consider recursiveSupported attribute value at each resource level to Store the Policy.

  • RANGER-1670: Change in Atlas Kafka consumer interface for Atlas tag sync.

  • RANGER-1679: Export Policy not working when Knox proxy is Enabled..

  • RANGER-1689: Enabling recursive policy only for relativepath in WASB servicedef.

  • RANGER-1695: Optimize Ranger code for authorization of HDFS 'getContentSummary' and 'delete' commands.

  • RANGER-1696: Request to get all policies for hive or hbase service-type does not include policies that apply to specific child resource.

  • RANGER-1708: Remove tag services from service type and service name filters under Access Audit..

  • RANGER-1714: Disable dynamic sorting of policies when trie pre-filter is enabled.

  • RANGER-1715: Enhance Ranger Hive Plugin to support authorization on Hive replication Tasks.

  • RANGER-1737: Fixed RANGER-1181 by providing correct set of parameters to Hdfs Native Authorizer in case of fall-back.

HDP 2.6.1 provided Ranger 0.7.0 and the following Apache patches:

  • RANGER-1436: Disable, by default, deny policies with ranger.servicedef.enableDenyAndExceptionsInPolicies config parameter.

  • RANGER-1436: Turn Ranger Deny Policy & Except Conditions block to On by default .

  • RANGER-1475: reducing the highest time stamp value to pick all the users syncd during sync cycle.

  • RANGER-1490: Increase size of sort_order column of x_policy_resource_map.

  • RANGER-1531: Good coding practice while parsing XML documents in Ranger.

  • RANGER-1546: Code Improvement To Follow Best Practices.

  • RANGER-1548: Ranger needs better error messages when Ambari Infra is off.

  • RANGER-1550: HDFS test connection and resource lookup failing.

  • RANGER-1612: When servicedef is accessed, def_options property "enableDenyAndExceptionsInPolicies" is returned as "false" if there is no value set for it.

HDP 2.6.0 provided Ranger 0.7.0 and the following Apache patches:

  • RANGER-1378: Update MySQL Schema to fix issues related to only_full_group_by restriction of MySQL 5.7 version..

  • RANGER-1383: Use resource matchers for filtering service policies.

  • RANGER-1392: Hive test connection is failing even if jdbc.url configured is correct to 2.6-maint.

  • RANGER-1392: Revert "RANGER-1392: Hive test connection is failing even if jdbc.url configured is correct to 2.6-maint".

  • RANGER-1401: Add consolidated db schema script for SQLServer DB flavor.

  • RANGER-1405: groups are not shown if exact user name is passed in search filter.

  • RANGER-1406: Audit spoolfile not getting created when ranger service user didn't have permission to log into Solr.

  • RANGER-1407: Service update transaction log is not generated in some cases.

  • RANGER-1409: User role get deleted from table when he tries to update his role to a restricted role.

  • RANGER-1413: Fix issues uncovered by static code analysis.

  • RANGER-1413: Good coding practice in Ranger recommended by static code analysis.

  • RANGER-1417: Ranger Upgrade is failing for Oracle DB flavor.

  • RANGER-1422: Ranger Knox Plugin audit doesn't have the access type populated.

  • RANGER-1428: In certain scenario user data contains junk email-id.

  • RANGER-1434: Enable Group Search First causes issues when Enable Group Sync is disabled - 2.6-maint branch.

  • RANGER-1435: Allow different files to be specified for unix based usersync - 2.6-maint.

  • RANGER-1435: fixed minor issue of resource filenames from previous commit.

  • RANGER-1440: Improve install script to retry failing statements.

  • RANGER-1448: Change of import / export icons on Ranger UI.

  • RANGER-1453: Ranger KMS failed to start with Exception] : More than one Master Key exists.

  • RANGER-1459: Ranger update policy API is failing on Postgres / Oracle for case sensitive ACLs.

  • RANGER-1477: 'show databases' fails with access-denied when user doesn't have access to some of the databases.