Fixed Issues in Apache Ranger

Review the list of Ranger issues that are resolved in Cloudera Runtime 7.1.7.

CDPD-4578: Added ability to handle deleted users in sync source. Since this is a new feature, it is documented as part of DOCS-9150.
This issue is resolved.
CDPD-14423: Fixes Rangers connection to Solr to pull audit events from Solr Service
Ranger was unable to fetch Audit events from solr after expiry of kerberos ticket. This issue is resolved.
CDPD-20644: This jira provides the functionality of authorizing StorageHandler in the HIVE Create / Alter statement of table. A policy has to be maintained for Storage Type ( hbase, phoenix, kafka, jdbc ) and corresponding Storage URL for the StorageHandler in Ranger for this Authorization.
This issue is resolved.
CDPD-21783: Added new features Include policy details, after the table showing audit log details. Contents of policy details should be similar to those shown on clicking policy-id in the audit logs listing page.
This issue is resolved.
CDPD-22079: The root cause for the Out of Memory Exception is when ranger tries to fetch large number of audit records, it sets rows=2147483647 which is max value of integer. Ranger receives SolrDocumentList object as a result of below query. q=*:*&fq=result:1&fq=repoType:9&fq=evtTime:[2021-03-09T00:00:00Z+TO+2021-03-17T23:59:58Z]&sort=evtTime+desc&start=0&rows=2147483647. Therefore, setting "SearchCriteria.maxRows=0" will get a total count of audit records for given repoType.
This issue is resolved.
CDPD-22750: Making number of shards related configs available for user to configure from Cloudera Manager.

ranger.audit.solr.no.shards = No. of Solr Live nodes (Default Value)

(We have implemented this change with this jira)

ranger.audit.solr.max.shards.per.node = 1 (Default Value)

ranger.audit.solr.no.replica = 1 (Default Value)

End users can configure these configurations from CM and Ranger will use these configs in Solr collection.

ranger.audit.solr.no.shards can be updated using a safety valve.

ranger.audit.solr.no.replica and ranger.audit.solr.max.shards.per.node can be updated using the configs that are exposed on CM UI for Ranger service.

This issue is resolved.
CDPD-22820: Added validation for user/group names to check for invalid characters in usersync before updating to ranger admin.
This issue is resolved.
CDPD-23112: Add functionality to Ranger usersync to read cloud identities from config file (for unix sync source).
This issue is resolved.
CDPD-23572: Allow setting ranger.usersync.group.searchenabled to false and configure ranger.usersync.ldap.user.groupnameattribute=memberof. That way, usersync can sync the users based on the user search base and user search filter and use the "memberof" attribute of the user to sync all the groups each user belongs to.
This issue is resolved.
CDPD-23935: AccessResult attribute with is Audited as false not filtered in Ranger Audit Filter
This issue is resolved.
CDPD-24008: Upgraded velocity version to handle CVE issues.
This issue is resolved.
CDPD-24021: Ranger Audit Filters doesnt filter HDFS read operation when filter is set to not audit read.
This issue is resolved.
CDPD-24660 and CDPD-24657: Created individual DB transactions for each create/update user when the request comes from usersync. Also added retry logic for user creation while creating services.
This issue is resolved.
CDPD-25086: When an entity is tagged, Ranger admin searches its internal tables to update the entity. The search was inefficient because relevant table was not indexed correctly.
This JIRA updates the table schema to ensure that the table is indexed correctly. This issue is resolved.
CDPD-25247: Fixed the regression bug of deleting zone tag policies while updating zone.
This issue is resolved.
CDPD-25372: Removed unused .htaccess file.
This issue is resolved.
CDPD-25609: Added default basic audit filters for yarn, kudu, s3, nifi, nifi-registry, schema-registry components
This issue is resolved.
CDPD-25655: Fixes the issue of wrong audit generated for chgrp operation done by Super user.
This issue is resolved.
CDPD-25876: Updating user source when same user exists as an internal & later added from external source.
This issue is resolved.
CDPD-25910: Fixed the issue of cluster name not coming in Ranger Access audits whenever resource type is missing.
This issue is resolved.
CDPD-26075: Fixes the upgrade with Oracle database.
This issue is resolved.
CDPD-26181: Fixes the issue of wrong jetty-client version used in Ranger.
This issue is resolved.
CDPD-26332: Added null check to audit event object before retrieving information.
This issue is resolved.
CDPD-26674: We block {OWNER} User for storage-type resources policy from UI to prevent unauthorized access to storage URL.
This issue is resolved.
CDPD-26934: HBase resource lookup in Ranger fails with "java.lang.NoClassDefFoundError: org/apache/htrace/core/Tracer".
This issue is resolved.
CDPD-27085: TFixes failure of alter and drop operation due to URISyntaxException when storage handler policy is applied on the phoenix based storage url.
This issue is resolved.
CDPD-27464: For ADLS service, the password field has type "string" changed this type to "password".
This issue is resolved.
OPSAPS-54567: Ability to install NiFi/Kafka clusters with Ranger/Solr but no HDFS.
Ranger doesn't have a hard dependency on HDFS anymore. Components depending on Ranger (and transitively on Solr) can be installed on a cluster having Core Configuration service instead of HDFS. This issue is resolved.
OPSAPS-59481: Add default value to ranger.ldap.user.dnpattern in Cloudera Manager.
Add validation for ranger.ldap.user.dnpattern. This issue is resolved.
CDPD-21849: After upgrade to 7.1.5 unable to update user in usersync.
Added back support to allow usersearchenabled flag to be configurable (true or false) while retrieve users/groups from AD/LDAP. Default value is "true". When this configuration is set to false, then users are retrieved based on groupmemberattribute. This issue is resolved.
CDPD-14939: Audit logs are too verbose.
Added capability to specify audit filters. This issue is resolved.
CDPD-21611: HBase command authorization issue in Ranger.
  1. "list_namespace" -> user who has "ADMIN" privilege can run this successfully else authorization error will occur.
  2. "list_namespace_table" -> user can have any of the permission ( RWCA) on the namespace to list the tables.
  3. "list" -> user should have Create/Admin privilege to list tables.
This issue is resolved.
CDPD-20686: HBase list command authorization issue in Ranger.
  1. "list_namespace" -> user who has "ADMIN" privilege can run this successfully else authorization error will occur.
  2. "list_namespace_table" -> user can have any of the permission ( RWCA) on the namespace to list the tables.
  3. "list" -> user should have Create/Admin privilege to list tables.
This issue is resolved.
CDPD-19924: HDFS Audit does not capture HDFS writes or renames properly.
Ranger Audit will have the correct FileName which is taking part in the operation. This issue is resolved.
CDPD-22408: HDP deploy fails: ranger services are missing.
Fixed failures during service repo creation by adding retry logic for creating service users. This issue is resolved.
CDPD-20361: Improvement for FIPS changes on Ranger Code Base.
FIPS support enhancements. This issue is resolved.
CDPD-21649: RMS support to HiveMetaStore API for optimal data download - getTables API for ACL Sync.
Use optimized API from HMS. This issue is resolved.
CDPD-18273: Ranger - Upgrade to TLS to version 1.2 and above.
Disabled TLS versions that are less than 1.2 for Ranger. This issue is resolved.
CDPD-15630: Ranger API to delete a service in Ranger based on cluster name.
Added Ranger API to delete a service in Ranger based on cluster name. This issue is resolved.
CDPD-13866: Ranger Access audit improvements.
Make table columns resizable and Allow users to select columns. This issue is resolved.
CDPD-21704: Ranger Auditor role (API compatibility).
Fixed access for servicedef GET API. This issue is resolved.
CDPD-21799: Ranger Database deadlock while migrating from CDH 5.14.0 to CDH 7.1.5.
Created individual DB transactions for each create/update user when the request comes from usersync in order to avoid possible DB deadlock that is causing service creation failures. This issue is resolved.
CDPD-22348: Ranger HBase resource lookup fails with "java.lang.NoClassDefFoundError: org/apache/htrace/core/Tracer".
Fixed Hbase resource lookup. This issue is resolved.
CDPD-20299: Ranger Hive policy with nested Roles failed to authorize request.
Roles/Groups in Nested Roles will be authorized in the Hive operations. This issue is resolved.
CDPD-21724: Ranger LDAP for Usersync-- issue seems to be around usage of bcfks file.
The keystore type and truststore type configuration for LDAPS are not honored properly. This issue is resolved.
CDPD-21010: Ranger ShutdownHook hook to be called in RangerHBaseCoprocessor preShutdown APIs for a clean shutdown of HBase.
For a clean shutdown of HBase, Ranger ShutdownHook hook to be called in RangerHBaseCoprocessor preShutdown APIs. This issue is resolved.
CDPD-22264: Ranger UI is breaking when hitting user-profile (protected url) after logout.
Resolved Ranger UI issue being broken after logout in Firefox. This issue is resolved.
CDPD-20730: Remove global JAAS Configuration for auditing.
Global JAAS Configuration entry should not be set from ranger plugin auditing code. This issue is resolved.
CDPD-21026: Some policies are not accessible to user.
Fixed issue with delegate admin support for specific permissions. This issue is resolved.
CDPD-22386: Toggle switch does not render after change in resources drop down value.
This issue is resolved.
CDPD-23030: Unexpected "Permission denied" when executing hdfs command with RMS enabled.
Fixed RMS initialization errors coming due to inclusion of jersey-server jar coming from Hive, which was of 2.x version. This issue is resolved.
CDPD-17467: Upgrade Tomcat from 7.0.x line.
Tomcat is upgraded to 8.5.61. This issue is resolved.
CDPD-20653: Long tag based service names are not shown correctly.
This issue is resolved.
CDPD-20899: Improvement in Ranger UI's Edit Policy page - Button alignment enhancements.
This issue is resolved.
CDPD-22733: Usersync failures and intermittent ranger service repo creation failures during startup.
This issue is resolved.
CDPD-22463: Use default value for source attribute in enunciate-maven-plugin for ranger-admin.
This issue is resolved.
CDPD-21942: After cluster upgrades from HDP3.1.5 to CDP 7.1.7, Kafka plugin policy import fails with errors.
Corrects the inconsistent data from the database. This issue is resolved.
CDPD-22901: Ranger Hive role based grant/revoke failures.
This issue is resolved.

Apache patch information

  • RANGER-3194
  • RANGER-3176
  • RANGER-3000
  • RANGER-3168
  • RANGER-3159
  • RANGER-3122
  • RANGER-3094
  • RANGER-3153
  • RANGER-3120
  • RANGER-3130
  • RANGER-3163
  • RANGER-3177
  • RANGER-3122
  • RANGER-3134
  • RANGER-3171
  • RANGER-3140
  • RANGER-3169
  • RANGER-3104
  • RANGER-3176
  • RANGER-3168
  • RANGER-3109
  • RANGER-2972
  • RANGER-3153
  • RANGER-3055
  • RANGER-3094
  • RANGER-3121
  • RANGER-3159
  • RANGER-3175
  • RANGER-3000
  • RANGER-3286
  • RANGER-3297
  • RANGER-3283
  • RANGER-3261
  • RANGER-3272
  • RANGER-3250
  • RANGER-3163
  • RANGER-3213
  • RANGER-3294
  • RANGER-3203
  • RANGER-3207
  • RANGER-3248
  • RANGER-3215
  • RANGER-3148
  • RANGER-3157
  • RANGER-980