Fixed Issues in Ranger

Review the list of Ranger issues that are resolved in Cloudera Runtime 7.1.9 SP1.

CDPD-70349: Ranger admin's service/metrics/status returns 404 and throws error in catalina.out
NA
CDPD-70423: Ranger replication failure during ranger-replication-transform
Ranger replication policy fails in the "Transforming services, policies and roles from Ranger" step during the policy execution. The fix has been provided for this scenario.
CDPD-68920: Custom Service Descriptors (CSD) changes for RMS metrics for Hive and Ozone service mappings
Ranger RMS metrics was previously supported only for Hive and HDFS service mappings. Ranger RMS now supports multiple source service types. Ranger RMS provides mappings for Hive-HDFS as well as Hive-Ozone services, where Hive, HDFS, Ozone, Ranger, and Ranger RMS services are installed and RMS is enabled.
CDPD-68831: Ranger react UI - Some modules showed hard coded time zone string like "Indian Standard Time"
Ranger react UI popup was showing details of an admin audit log that had a hard coded string namely ”Indian Standard Time”. Certain logs table headers also had hard coded string namely “Indian Standard Time". The fix has been provided for this scenario.
CDPD-68807: Upgrade Spring Framework to 6.1.6/6.0.19/5.3.34 due to CVE-2024-22243, CVE-2024-22259 and CVE-2024-22262
Upgrade Spring Framework to 5.3.34
CDPD-68737: Upgrade opensearch to 1.3.15 due to CVE-2023-45807
Upgrade opensearch to 1.3.15
CDPD-66624: Transform URLs with or without / at the end

In Ranger replication Resource and Hive URL mapping, there are different paths:

For example:

/user/hive/warehouse/

s3a://bucket/path

Including a / separator or not can cause issues during transformation.

Fix is provided for Resource and Hive URL prefixed based transformations to be aware of potential / signs at the end of URLs and handle the transformation correctly.

CDPD-68590: Ranger RMS gives all permissions to the user through the Create permission
An additional check is now made to ensure that the user attempting to alter a HDFS directory that maps to the Hive database who is the owner of the Hive database for the attempted operation is allowed.
CDPD-68489: Upgrade jline to 3.25.1 due to CVE-2023-50572
Upgraded jline to 3.25.1 due to CVE-2023-50572
CDPD-68375: Enhance handling of subAccess authorization in Ranger HDFS plugin
Currently, Ranger performs authorization of the HDFS commands which require access to the hierarchy of files/directory rooted at the argument passed to the HDFS command.
CDPD-68365: Audit logs for tag masking policy is displaying the service name along with datamask type
A fix is provided to not display the service type name along with datamask type in audit logs for tag based masking policy.
CDPD-68252: Upgrade Commons-configuration2 to 2.10.1 due to CVE-2024-29133 and CVE-2024-29131
Upgraded Commons-configuration to v2.10.1 due to CVEs
CDPD-68024: Use name validation regex instead of service name validation regex for display name
Currently, in the Service creation / edit form in Ranger react UI, there is a validation for the display name which does not allow spaces. The validation has to be modified to include spaces, otherwise it does allow you to edit the Service from the UI.
CDPD-67864: Upgrade Spring Security to 5.7.12/5.8.11/6.1.8/6.2.3 due to CVE-2024-22257
Upgrade Spring security to 5.7.12
CDPD-67750: Upgrade telemetry to 1.36.0
Upgrade telemetry version to 1.36.0
CDPD-67749: Upgrade protobuf-java to 3.21.7 due to CVE-2022-3171
Upgrade protobuf-java to 3.21.7
CDPD-67746: Upgrade Nimbus-JOSE-JWT to 9.37.3 due to CVE-2023-52428
Upgrade Nimbus-JOSE-JWT to 9.31
CDPD-67744: Exclude Apache Derby from ranger-rms module due to CVE-2022-46337
Exclude Apache Derby from the ranger-rms module
CDPD-67530: Support FIPS on JDK17
Successfully validated Ranger and Ranger KMS for FIPS with JDK 17.
CDPD-67316: Add an eye icon for password visibility in Ranger login page

The Ranger login page did not support password visibility functionality. Users were not able to verify the entered password. Users can now view the entered password by clicking on the eye icon on the password field in the Ranger login page.

CDPD-67315: Filtering the resources in the search filter options on the policy listing page based on policy type.
N/A
CDPD-67314: Handling local storage data for column show/hide functionality
Implemented Column Hide/Show functionality in the Audit > Plugin Status tab.
CDPD-67110: Upgrade json-smart due to CVE-2023-1370
Upgraded json-smart to 2.4.10 due to CVEs
CDPD-67098: Upgrade commons-compress to 1.26.0 due to CVE-2024-25710 and CVE-2024-26308
Upgraded commons-compress to 1.26.0 due to CVE-2024-25710 and CVE-2024-26308
CDPD-66512: Enabling FIPS for Luna 7 server
A fix was provided.
CDPD-66501: Remove/Replace OpenSAML v3 due to EOL
Removed OpenSAML v3.4.5 due to EOL
CDPD-65650: Pagination on the Ranger Admin - Plugin Status page
The Ranger Admin UI's "Plugin Status" page now supports pagination. Previously, the Ranger Admin UI displayed only (the first or random) 200 entries, which was not easy to navigate. Also, the ordering/sorting on columns was only a "client side" sorting which hampered viewing some entries (only if searched by Host Name for example, it was possible). With bigger clusters it was a usability issue.
CDPD-65125: User Agent info not logged under "Login sessions" when login fails
User agent information will not be available for failed login.
CDPD-64634: Update ServiceDef icons on the service manager page
The service manager page previously used a folder icon for displaying ServiceDefs. Presently, the service manager page displays a real logo or icon that is specific to each ServiceDef.
CDPD-64334: Ranger - Upgrade Bouncy Castle to 1.77 due to CVE-2023-33202 and CVE-2023-33201
Bouncy Castle lib version upgraded to v1.77
CDPD-63694: Ranger plugin sends audits with Public Key Infrastructure (PKI) authentication with Solr user and causing PKI Exception
The error occurs when the workload Solr sends the audits to the infra Solr. The Ranger plugins’ own solrclient uses PKI whatever the Solr configuration is. 
CDPD-63984: HBase shell revoke command failed with 'HTTP 400 Error: processSecureRevokeRequest processing failed'
A fix was provided for this issue.
CDPD-62362: Ranger plugin sends audit information with Public Key Infrastructure (PKI) authentication with Solr user and causing PKI Exception

A fix is provided to handle the error when the workload Solr sends the audit information to the infra Solr.

CDPD-65125: User Agent information not logged under "Login sessions" when login fails
A fix is provided where the User Agent information is available for failed login.
CDPD-61934: Filter audits for cc_metric_reporter user on Kafka service repository

A lot of audits are generated for cc_metric_reporter user for the Kafka service repository for the resource "__CruiseControlMetrics".These audits will fill up the audit logs, and not much value is added by these audits. A fix is provided by adding Filter audits for cc_metric_reporter user on Kafka service repository.

Apache patch information

  • RANGER-4504
  • RANGER-4729
  • RANGER-4780
  • RANGER-4753
  • RANGER-4673
  • RANGER-4519
  • RANGER-4348
  • RANGER-3346
  • RANGER-4467
  • RANGER-4659
  • RANGER-4656
  • RANGER-4641