Known Issues in Apache Ranger

This topic describes known issues and workarounds for using Ranger in this release of Cloudera Runtime.

CDPD-15715: The Zone Name field is not populated in ranger audits when there is a deny policy in the security zone or if there is no policy granting access to the matching resource path in the security zone.
CDPD-3296: Audit files for Ranger plugin components do not appear immediately in S3 after cluster creation

For Ranger plugin components (Atlas, Hive, HBase, etc.), audit data is updated when the applicable audit file is rolled over. The default Ranger audit rollover time is 24 hours, so audit data appears 24 hours after cluster creation.

Workaround:
To see the audit logs in S3 before the default rollover time of 24 hours, use the following steps to override the default value in the Cloudera Manager safety valve for the applicable service.
  1. On the Configuration tab in the applicable service, select Advanced under CATEGORY.
  2. Click the + icon for the <service_name> Advanced Configuration Snippet (Safety Valve) for ranger-<service_name>-audit.xml property.
  3. Enter the following property in the Name box:

    xasecure.audit.destination.hdfs.file.rollover.sec.

  4. Enter the desired rollover interval (in seconds) in the Value box. For example, if you specify 180, the audit log data is updated every 3 minutes.
  5. Click Save Changes and restart the service.
CDPD-12644 Ranger Key Names cannot be reused with the Ranger KMS KTS service
Key names cannot be reused with the Ranger KMS KTS service. If the key name of a delete key is reused, the new key can be successfully created and used to create an encryption zone, but data cannot be written to that encryption zone.
Workaround:

Use only unique key names when creating keys.