Fixed Issues in Apache Ranger

Review the list of Ranger issues that are resolved in Cloudera Runtime 7.1.7 SP2.

CDPD-42806: Fix to handle case sensitive users with MySQL db flavour in Ranger.
CDPD-47867: Hive table owner who create the tables full privilege.
CDPD-47056: Fix Ranger TagRest API deleteTagResourceMapByGuid.
CDPD-45527: Chained plugins access evaluation result is not considered in some cases and results in unexpected behaviour.
CDPD-45526: Improve logging messages to help debug potential issues.
CDPD-45524: checkAdminAccess method should return false if user-session is not available.
CDPD-45512: RangerRESTClient should retry to connect in case of request failure.
CDPD-45511: Improvement in the implementation of policy label creation.
CDPD-45510: Fix Typo issue in GrantRevokeRoleRequest.java.
CDPD-45509: Remove printing of unnecessary log messages from Ranger tagsync.
CDPD-45507: Reduce the granularity of locking when building/retrieving a policy-engine within Ranger admin service.
CDPD-45505: Add option to optimize space needed by Trie objects.
CDPD-45503: Remove redundant code from credential builder module.
CDPD-45501: Fix for show grant failing on database in Ranger Hive plugin.
CDPD-45500: fix NPE error in ranger admin when enable ranger kms.
CDPD-45288: Fix for RMS failing to process Alter operation on External tables when hdfs path of a table is updated.
CDPD-45247: Fix for RMS failing to process Alter operation on Managed tables when table is renamed.
CDPD-45116: Ranger admin user should able to change another user email after the upgrade.
CDPD-44880: Fix for RMS failing to process table rename correctly.
CDPD-44622: NPE fix in RangerDefaultPolicyEvaluator.
CDPD-44538: Ranger Roles creation code improvement.
CDPD-44402: Reduce Put RPC time taken by Ranger Authz CP.
CDPD-43950: Fixed the policy evaluator for deny access.
CDPD-42977: Apache Ranger REST Client to download policies, tags and roles from Ranger admin will use cookie session. Earlier each of the plugin has to do kerberos login to get a TGT to download policy, tags and roles. With this feature Session Cookie is enabled by default in RangerAdminClient and it will be used instead of hitting KDC for TGT for validating the user. This improve performance as well and reduce the load on KDC.
CDPD-42972: Improve debugging and handling of thread terminations.
CDPD-42924: Remove CREATE PUBLIC SYNONYM privilege to Ranger DB user.
CDPD-42911: Tag policies enforcement for ADLS paths.
CDPD-42908: Hive authorization of Drop database / table if exists.
CDPD-42891: Set Cluster type info in RangerAccessRequestImpl objects.
CDPD-42888: compressDeltas method returns two ranger policy entries for policy create+update case when provided lastKnownVersion is previous to create call.
CDPD-42882: Fix for Ranger unable to connect to the DB when the DB is outaged for a long time.
CDPD-42876: db setup scripts need not to convert the db user to lowercase.
CDPD-42875: Restrict Oracle Long Identifiers in Ranger to be less than 30 Characters.
CDPD-42872: Improvement in load permission edit page with more number of users and groups data.Added lazy loading for that.
CDPD-42871: Import start and import end to appear in chronological order.
CDPD-42868: Code fixed for Ranger role not to be deleted if the role is used in ranger audit filters in service plugins.
CDPD-42835: Fix for failing sql patches.
CDPD-42834: Improve HTTPS url check.
CDPD-42803: HDFS audit files rollover improvement to trigger rollover in monitoring thread.
CDPD-42802: Remove unwanted logs printing from ranger audit logging.
CDPD-42801: Audit log should be generated generated for non-super user for deleteSnapshot operation.
CDPD-42800: Fix for Show roles is not listing all roles.
CDPD-42797: Fix for alter operation failure on storage handler based table.
CDPD-42795: Allow user to execute GET_TABLES command.
CDPD-42794: Remove htrace due to shaded jackson-databind CVEs.
CDPD-42792: Fixed Atlas audit issue by adding right dependency.
CDPD-42790: Fix for Group's users mapping entry failure whenever primary key auto-increment is not set to 1 in db.
CDPD-42785: Ranger installation in mysql when binary logging is enabled.
CDPD-42784: Fix for Ranger service creation failure due to DB unique key constraint violation.
CDPD-42782: Fix for failing Log print due to len(argv) call in Ranger deleteUserGroupUtil.py.
CDPD-42781: Add Roles information in the output file which is downloaded from reports page.
CDPD-42775: Fix NullPointerException in getSecureServicePoliciesIfUpdated call of ServiceRest.
CDPD-42774: Remove semicolon from c3P0 preferredTestQuery.
CDPD-42770: Fix for Ranger service tag import request failure when RangerServiceResource objects of ServiceTags objects does not have ranger service name attribute values.
CDPD-42769: Resolve UI side regression for rendering resources.
CDPD-42768: Fixed checkbox-related issue in user/group listing page.
CDPD-42766: Fixed role update operation issue for role admin user. (A non admin user should be able to update the role if he/she is role admin).
CDPD-42749: Limit the query content size which is stored in Audit logs.
: After spring upgrade, spring-jcl-5.3.7.jar is loaded into ranger classpath which causes this issue. To fix this issue we have removed spring-jcl-5.3.7.jar from Ranger-admin, Ranger-RMS, Ranger-RAZ pom.xml. Now ranger does not add spring-jcl-5.3.7.jar in it's packaging.
CDPD-42737: Ranger default policies for Hive should include hdfs user.
CDPD-42736: Incremental Sync in the Usersync should be configurable.
CDPD-42735: Fix for ConcurrentModificationException in UnixUserGroupBuilder.
CDPD-42734: Remove unnecessary logs being printed by Ranger tagsync service.
CDPD-42732: Ranger tag based polices enforcement improvement.
CDPD-42730: Fixed issue introduced partly by the fix for RANGER-3606.
CDPD-41282: RMS HTTPS server will add HSTS (HTTP Strict Transport Security), X-Frame-Options and X-XSS-Protection security headers to the API response.
CDPD-42741: Fix for Ranger KMS DAO memory issue when many new keys are created.
CDPD-42884: Fix for Ranger Raz failure during initialization of userstore download.
CDPD-42765: If RangerRMS cannot renew it's ticket cache due to a KDC communication problem then it will not retry it and we'll see periodic "No ticket found in the cache" error messages.
If that happens, then it won't have a valid Kerberos ticket it will not be able to communicate with other services, like HMS.
OPSAPS-64271: Ranger configurations now expose a safety-valve for authorization-migration-site.xml to allow users to configure required properties for custom configuration of properties which user can configure during migration of policies from Sentry to Ranger.
OPSAPS-64275: Updated AuthzMigrator GBN to point to latest non-expired GBN for 7.1.7-SP2

Apache patch information

  • RANGER-3505
  • RANGER-3593
  • RANGER-3977
  • RANGER-3956
  • RANGER-3780
  • RANGER-3754
  • RANGER-3705
  • RANGER-3693
  • RANGER-3663
  • RANGER-3565
  • RANGER-3578
  • RANGER-3571
  • RANGER-3556
  • RANGER-3538
  • RANGER-3519
  • RANGER-3276
  • RANGER-2893
  • RANGER-2853
  • RANGER-3911
  • RANGER-3898
  • RANGER-3617
  • RANGER-3334
  • RANGER-3322
  • RANGER-3419
  • RANGER-3485
  • RANGER-3324
  • RANGER-3784
  • RANGER-3552
  • RANGER-2790
  • RANGER-3259
  • RANGER-3211
  • RANGER-3603
  • RANGER-3478
  • RANGER-3356
  • RANGER-3353
  • RANGER-3806
  • RANGER-3594
  • RANGER-3576
  • RANGER-3591
  • RANGER-3325
  • RANGER-3691
  • RANGER-3592
  • RANGER-3600
  • RANGER-3568
  • RANGER-3362
  • RANGER-3509
  • RANGER-2728
  • RANGER-3661
  • RANGER-3518
  • RANGER-3367
  • RANGER-3798
  • RANGER-3789
  • RANGER-3642
  • RANGER-3829
  • RANGER-3813
  • RANGER-3584
  • RANGER-3442