Known Issues in Apache Ranger
Learn about the known issues in Ranger, the impact or changes to the functionality, and the workaround.
- In the affected CDP releases (7.1.7.1056+, 7.1.7 SP2+, 7.1.8 CHF1+, 7.2.16.0+, 7.2.15.2+, 7.2.14.3+), Hbase Regionserver performance is degraded by aggressive GC pause and memory contention from the ColumnFamilyCache.
- Disable ColumnFamilyCache
Cloudera Manager -> HBase -> HBase Service Advanced Configuration Snippet (Safety Valve) for ranger-hbase-security.xml xasecure.hbase.columnfamilies.cache.maxsize=0
- Ranger default service cm_solr for Ranger solr plugin fails.
- Workaround: You must create it manually from Ranger Admin UI.
- CDPD-3296: Audit files for Ranger plugin components do not appear immediately in S3 after cluster creation
- For Ranger plugin components (Atlas, Hive, HBase, etc.), audit data is updated when the applicable audit file is rolled over. The default Ranger audit rollover time is 24 hours, so audit data appears 24 hours after cluster creation.
- CDPD-12644: Ranger Key Names cannot be reused with the Ranger KMS KTS service
- Key names cannot be reused with the Ranger KMS KTS service. If the key name of a delete key is reused, the new key can be successfully created and used to create an encryption zone, but data cannot be written to that encryption zone.
- CDPD-17962: Ranger roles do not work when you upgrade from any CDP Private Cloud Base to CDP Private cloud base. Roles which are created prior to upgrade work as expected, issue is only for new roles created post upgrade and authorization enforced via ranger policies wont work for these new roles. This behavior is only observed with the upgraded cluster; a newly installed cluster does not show this behavior.
- There are two possible workarounds to resolve this issue:
- Update database entries (Recommended):
- select * from x_ranger_global_state where state_name='RangerRole';
- update x_ranger_global_state set app_data='{"Version":"2"}' where state_name='RangerRole';
- Add a property in safety valve under ranger-admin-site which will bypass the getAppDataVersion method:
- Update database entries (Recommended):
Technical Service Bulletins
- 2023-673: Ranger RMS Field issues causing HDFS high RPC queue time and processing time issue
- When Apache Ranger (Ranger) Resource Mapping Server (RMS) is enabled, customers may intermittently encounter high Remote Procedure Call (RPC) queue time in the Hadoop Distributed File System (HDFS) NameNode, which results in jobs requiring more time than usual to finish. This is caused by the process of the Ranger HDFS plugin that needs to evaluate applicable Apache Hive (Hive) policies in addition to a set of HDFS policies for each HDFS location authorization. The evaluation process may cause access authorization latency of an additional 10-20 ms under heavy load, which in turn causes high NameNode RPC time.