Known Issues in Apache Ranger

Learn about the known issues in Ranger, the impact or changes to the functionality, and the workaround.

CDPD-40734: User allowed to insert data into a hive table when there is a deny policy on a table column.

A user is allowed to enter data into a table even if there is a deny policy present on one of the table columns.

Test scenario details:
Policy setup :-
            policy 1 :- all access policy for hrt_qa, hive and impala users
            resources - database - * , table - *, column - *
            users : hrt_qa, hive, impala
            access - all access allowed
            policy 2 :- policy on test_1.table_1 for hrt_5
            users : hrt_5
            resources : database - test_1, table - table_1, column - *
            access :- all access allowed
            policy 3 :- deny policy on test_1.table_1.c0 for hrt_5
            users : hrt_5
            resources : database - test_1, table - table_1, column - c0
            access - all access denied
            data setup :-
            database - test_1
            table - table_1(c0 int, c1 int)

The user is able to insert data into the table.

CDPD-41582: Atlas Resource Lookup : Classification for "entity-type" lists only classification for the following payload:

{"resourceName": "classification", "userInput": "", "resources": {"classification": []}}]

expectation is to return all the classifications . But the response has only "classification"Happens similarly for entity-label , entity-business-metadata.

CDPD-42598: Kafka policy creation allowed with incorrect permissions.

When creating a Kafka policy from the UI, the permissions "Idempotent write"and "Cluster action" are not displayed as they are not applicable for the "topic" resource, but when creating a policy for the "topic" resource with the permissions "Idempotent write" and "Cluster Action", the policy is created successfully when the expected behaviour is that the policy creation must fail as the permission is not applicable for the Kafka topic resource

CDPD-44694: ErrorCode: 1118. Unable to upgrade Ranger database and apply patches during CDP 7.1.8 upgrade.
This known issue is caused by DB being configured to use utf8mb4 character encoding.
Error occurs when upgrading Ranger database and applying patches.
SQLException : SQL state: 42000 java.sql.SQLSyntaxErrorException: Row size too large.
              The maximum row size for the used table type, not counting BLOBs, is 65535.
              This includes storage overhead, check the manual.
              «You have to change some columns to TEXT or BLOBs ErrorCode: 1118


  1. Log in to Ranger Admin host on the command line .
  2. Copy 055-add-syncSource-col-in-x_user-x_portal_user-x_group.sql from /opt/cloudera/parcels/CDH-7.1.8-1.cdh7.1.8.p0.30990532/lib/ranger-admin/db/mysql/patches/055-add-syncSource-col-in-x_user-x_portal_user-x_group.sql to a backup location.
  3. Open 055-add-syncSource-col-in-x_user-x_portal_user-x_group.sql for editing.
  4. Replace all occurrences of varchar(4000) with text.
  5. Save the file and resume the upgrade.