Known Issues in Apache Ranger
Learn about the known issues in Ranger, the impact or changes to the functionality, and the workaround.
- In the affected CDP releases (7.1.7.1056+, 7.1.7 SP2+, 7.1.8 CHF1+, 7.2.16.0+, 7.2.15.2+, 7.2.14.3+), Hbase Regionserver performance is degraded by aggressive GC pause and memory contention from the ColumnFamilyCache.
- Disable ColumnFamilyCache
Cloudera Manager -> HBase -> HBase Service Advanced Configuration Snippet (Safety Valve) for ranger-hbase-security.xml xasecure.hbase.columnfamilies.cache.maxsize=0 - CDPD-40734: User allowed to insert data into a hive table when there is a deny policy on a table column.
A user is allowed to enter data into a table even if there is a deny policy present on one of the table columns.
Test scenario details:Policy setup :- policy 1 :- all access policy for hrt_qa, hive and impala users resources - database - * , table - *, column - * users : hrt_qa, hive, impala access - all access allowed policy 2 :- policy on test_1.table_1 for hrt_5 users : hrt_5 resources : database - test_1, table - table_1, column - * access :- all access allowed policy 3 :- deny policy on test_1.table_1.c0 for hrt_5 users : hrt_5 resources : database - test_1, table - table_1, column - c0 access - all access denied data setup :- database - test_1 table - table_1(c0 int, c1 int)The user is able to insert data into the table.
- CDPD-41582: Atlas Resource Lookup : Classification for "entity-type" lists only classification for the following payload:
{"resourceName": "classification", "userInput": "", "resources": {"classification": []}}]expectation is to return all the classifications . But the response has only "classification"Happens similarly for entity-label , entity-business-metadata.
- CDPD-42598: Kafka policy creation allowed with incorrect permissions.
When creating a Kafka policy from the UI, the permissions "Idempotent write"and "Cluster action" are not displayed as they are not applicable for the "topic" resource, but when creating a policy for the "topic" resource with the permissions "Idempotent write" and "Cluster Action", the policy is created successfully when the expected behaviour is that the policy creation must fail as the permission is not applicable for the Kafka topic resource
- CDPD-44694: ErrorCode: 1118. Unable to upgrade Ranger database and apply patches during CDP 7.1.8 upgrade.
- This known issue is caused by DB being configured to use utf8mb4 character encoding.
- Error occurs when upgrading Ranger database and applying patches.
SQLException : SQL state: 42000 java.sql.SQLSyntaxErrorException: Row size too large. The maximum row size for the used table type, not counting BLOBs, is 65535. This includes storage overhead, check the manual. «You have to change some columns to TEXT or BLOBs ErrorCode: 1118Workaround
- Log in to Ranger Admin host on the command line .
- Copy 055-add-syncSource-col-in-x_user-x_portal_user-x_group.sql from /opt/cloudera/parcels/CDH-7.1.8-1.cdh7.1.8.p0.30990532/lib/ranger-admin/db/mysql/patches/055-add-syncSource-col-in-x_user-x_portal_user-x_group.sql to a backup location.
- Open 055-add-syncSource-col-in-x_user-x_portal_user-x_group.sql for editing.
- Replace all occurrences of varchar(4000) with text.
- Save the file and resume the upgrade.
Technical Service Bulletins
- 2023-673: Ranger RMS Field issues causing HDFS high RPC queue time and processing time issue
- When Apache Ranger (Ranger) Resource Mapping Server (RMS) is enabled, customers may intermittently encounter high Remote Procedure Call (RPC) queue time in the Hadoop Distributed File System (HDFS) NameNode, which results in jobs requiring more time than usual to finish. This is caused by the process of the Ranger HDFS plugin that needs to evaluate applicable Apache Hive (Hive) policies in addition to a set of HDFS policies for each HDFS location authorization. The evaluation process may cause access authorization latency of an additional 10-20 ms under heavy load, which in turn causes high NameNode RPC time.
