Apache Ranger

Learn about the new features of Ranger in Cloudera Runtime 7.1.8.

HDFS Hive ACL Sync (Ranger RMS) propogates Hive db-level grants

When multiple databases are mapped to single hdfs location, and if a hive policy allows a user to access one database; then, a user can access that database's hdfs location and all other files & directories under it. For more information, see the updated examples in Ranger HIVE-HDFS ACL Sync Overview.

New Ranger Usersync configuration that specifies role assignment for service users

You can now automatically assign Admin and Key Admin roles for external users. For more information, see the updated examples in Configure Usersync assignment of Admin users.

Ozone-Ranger integration Enhancement : Recursive ACL check for subpaths

Ranger now only supports authorization for rename and recursive delete operations, and also provides an option to enable performance optimized solution when these operations are performed on directory containing large set of subpaths (directories/files) within it. This support the Ozone File System Optimized Bucket layout. For more information, see Configure rename and recursive delete operations in Ranger Ozone plugin.

Solr-Ranger integration Enhancement : Map Ranger Policies to Sentry Privileges

Ranger in CDP-7.1.8 supports collection, admin, config, and schema object types for Solr. For more information, see updated examples in: Configure a resource-based policy: Solr.

Ranger: HA Support for Oracle Database

Oracle RAC is now supported and certified as a backend database for Ranger.

Hive plugin enhancement - add coarse URI check for Hive Agent

Ranger now supports a coarse check for URI permissions. For more information, see How to add a coarse URI check for Hive agent.

Hive plugin enhancements - seperate INSERT/DELETE audit

Ranger audit handler enhanced to intercept the login of insert, update, delete and truncate calls and modify the access type accordingly. The audit now shows specific operations. For more information, see updated examples, in View audit details.

Ranger HDFS audit enhancement - allow closing by configured threshold

Configuration of HDFS audit file behavior enhanced. For more information, see How to trigger HDFS audit files rollover.

Ranger RMS Database Full Sync

Provides a full sync of the Ranger RMS databse with the Hive metastore, performed from Cloudera Manager. For more information, see How to full sync the Ranger RMS database.

Support browser login using kerberized authentication

Ranger Admin now supports browser login using kerberos authentication. To control browser-specific access, a user can add / update user-agents by configuring ranger-admin-site.xml through a safety-valve. For more information, see Enable Ranger Admin login using kerberos authentication.

Ranger KMS

Learn about the new features, and improvements in Ranger KMS in Cloudera Runtime 7.1.8.

Expansion of Encryption support

  • Ranger KMS is now certified to work with GCP Cloud HSM, Thales CipherTrust Manager 2.0, and Thales Luna HSM.
  • Kudu now supports native encryption for data at rest. With native encryption, the local file system no longer has to be encrypted. This was often an issue for colocated Kudu and HDFS nodes where in order to encrypt Kudu, HDFS had to be needlessly encrypted again at the local file system level. Ranger KMS can be used to manage the keys used for Kudu’s native data at rest encryption.

For more information, see Integrating Components for Encrypting Data at Rest.

Performance and Function Improvements

  • Ranger policy page now includes better visibility for HDFS and YARN fallback to ACL options. Fallback to HDFS/YARN ACLs is enabled by default.
  • Ranger KMS will no longer report an error (ArrayIndexOutOfBoundsException) when SOLR is offline during the upload configuration phase. Now, per Ranger-3290, a more useful message is shown ("No live SolrServers available").
  • Merged Ranger-3442, which improves memory management when adding multiple keys to Ranger KMS at the same time. For example, in the case of running a script to call createKey and getMetadata in a loop. After this patch, keys can be added to the KMS with no speed limitations.
  • Improved error messaging during Hadoop KMS starup by merging HADOOP-15234. Now if “keyProvider” is null, instead of a null pointer exception the user will get a meaningful message about initializing a key provider.
  • Fixed error logging message when checking if user is in a blacklist by merging HADOOP-15455. Now the log correctly states the user is not in a blacklist instead of stating the opposite.

  • KeyAuthorizationKeyProvider is now logged when KMS server is started by merging HADOOP-14784. This will help clarify that the KeyAuthorizationKeyProvider is actually loading during start-up.

  • Ranger KMS will now invalidate the key cache across all KMSClientProvider instances when a key is deleted instead of waiting for the cache to expire.
  • When Ranger KMS is paired with KTS, connections will enforce HSTS as defined by RFC 6797.
  • Ranger, and Ranger KMS, now support in-place upgrades in FIPS environments.