Fixed Issues in Apache Ranger

Review the list of Ranger issues that are resolved in Cloudera Runtime 7.1.9.

CDPD-53435: [7.1.9.x] Add/ Update metric details for Ranger TagSync
Add Metrics APIs for Ranger Tagsync.
CDPD-44451: Add/ Update metric details for Ranger UserSync
Add Metrics APIs for Ranger Usersync.
CDPD-58506: User is not allowed delete directory in ozone even though user has permissions
User is not allowed delete directory in ozone even though user has permissions
CDPD-69608: Ranger TagSync is out of memory
Ranger TagSync process runs out of heap memory. The out of memory issue could be because the Kafka messages that are of no interest to TagSync are stored in TagSync process and shall not be cleared until a Kafka message that must be uploaded to Ranger admin is encountered. Leads to build up of messages in a Kafka queue ("ATLAS_ENTITIES") under the same condition.
CDPD-50662: [7.1.9.x] - Groups are not visible in mask and row level policy listing tables.
Groups listing are not visible in mask and row-level policy listing tables.
CDPD-51892: CLONE - Tag-based policy UI to not show permissions in deny/exception for services that don't support deny/exception
tag-based policy UI should not show permissions in deny and exception policy-items for service-types that don’t support deny and exceptions i.e., service-defs having options.enableDenyAndExceptionsInPolicies=false.
CDPD-55048: KafkaAuthorization ACL operation Interface implementation in RangerKafkaAuthorizer
KafkaAuthorization ACL operation Interface implementation in RangerKafkaAuthorizer
CDPD-57073: RangerClient#createRole singletonMap causes Ozone tenant creation failure in custom-kerberos-principal-option4
Reverted a change(part of another review for JWT changes) to fix tenant creation in Ozone. Fixes the REST API call, passing auth_type as kerberos in the request was the issue.
CDPD-49182: [7.1.9] Ranger AD User Sync - support for AD group names containing slashes
Adds support for LDAP user and group names with special characters.
CDPD-44902: Ranger admin feature to delete all external users
Introduced new feature with the addition of 2 new REST APIs to force delete external users at scale.
CDPD-46248: Ranger RMS Field issues
Fixed issues listed in the description below. Please ensure that before applying the patch, RMS service is stopped and the existing RMS resource-mapping is cleaned up. This can be achieved by updating the RMS database tables with the following SQL commands. delete from x_rms_resource_mapping; delete from x_rms_service_resource; delete from x_rms_notification; update x_rms_mapping_provider set last_known_version=-1; After applying the patch and restarting RMS server, the resource-mappings will be re-synced from HiveMetaStore.
CDPD-50668: CLONE 7.1.9 - HA support for Ranger User Sync
This is a new feature which enables support for Ranger usersync in HA(Active-Passive) mode.
CDPD-48978: kms get currentversion api is returning old keymaterial after key migration from KTS to KMS
while exporting keys for KTS migration, key version should be in opposite order
CDPD-49334: Key migration from KTS to RangerKMS
Key migration from KTS to RangerKMS DB
CDPD-55419: Ranger - Upgrade json-smart to 2.4.10 due to CVE-2023-1370
Upgrade json-smart to 2.4.10
CDPD-53858: metrics are not getting dumped in /var/log/ranger/kms/ranger_kms_metric.log file when KMS is stopped
After discussion internally, it was agreed to dump the metric state in the same regular kms log file when service goes down.
CDPD-57318: Ranger - Upgrade jackson-dataformat-xml to 2.13.5 due to multiple CVEs in woodstox
Use woodstox-core to 5.4.0 version
CDPD-56463: [7.1.9] - Ranger - Upgrade Spring Security to 5.7.8+/5.8.3+/6.0.3+ due to CVE-2023-20862
Upgrade Spring Security to 5.7.8
CDPD-50537: [7.1.9.x] - Ranger - Upgrade Kerby to 2.0.3 due to CVE-2023-25613
Upgrade Kerby to 2.0.3
CDPD-55561: Ranger - Upgrade bcpkix-jdk15on to 1.70+ due to CVE-2019-17359
Upgrade bcpkix-jdk15on to 1.70
CDPD-15744: HA support for Ranger Tag Sync/User Sync
HA support for Ranger TagSync and UserSync added as part of this new feature enhancement.
CDPD-54854: CLONE [7.1.9]- Ranger audit metrics deletion is failing
Code fix for Ranger audit metrics deletion failing.
CDPD-50648: CLONE [7.1.9] - Ranger is opening a lot of zk connections when solr is down
Making sure that Ranger closes the Zookeeper connection in case when Solr service is not reachable. Also following the configured number of retries to connect to Solr and on given time intervals.
CDPD-49503: [Ranger UI] [React JS] If the url to edit a policy, service or permissions for a module, and the url to view user/group/roles contains an invalid id, then page should display an error
1) If the user enters the Wrong URL in ranger UI It will give 404 Page not found Error page. 2) If the user enters the wrong ID that is not present in the database It will show 400 Data not found page
CDPD-54619: [7.1.9.x]- Regression caused by CDPD-45891
Fix uri for getDeletedGroups() in PolicyMgrUserGroupBuilder
CDPD-44227: Ranger improvement - Roles Import/export API for ranger admin
Add Roles Import/export API for ranger admin
CDPD-44198: shell script to export, transform, import of ranger tags for ranger replication
shell script to export, transform, import of ranger tags for ranger replication
CDPD-50457: [719 CLONE] - Provide option to update group memberships when same users/groups are synced from different sync sources
Update group memberships when same users/groups are synced from different sync sources
CDPD-56737: Ranger - Upgrade Tomcat to 8.5.89 due to CVE-2023-28709
Upgrade Tomcat to 8.5.89
CDPD-50454: [7.1.9.x]- Unable to delete the user if policy is created by same user and added in the policy item
Allow delete user operation if policy is created by same user and added in the policy item
CDPD-56300: Introduce config within Ranger to control retention period of x_auth_session data
Add config within Ranger to control retention period of x_auth_session table data
CDPD-55459: Ranger - Upgrade Spring Framework to 5.3.27/6.0.8 due to CVE-2023-20863
Upgrade Spring Framework to 5.3.27
CDPD-49638: [7.1.9.x] - Log4j2 support in Ranger
Added Log4j2 support in Ranger
CDPD-11878: Support for avoiding multiple access request enrichment
Optimization to enrich the request only once to alleviate the performance overhead.
CDPD-50533: [7.1.9.x] - Add unique constraint on resource_signature column of x_rms_service_resource table
Add unique constraint on resource_signature column of x_rms_service_resource table
CDPD-50605: ArrayIndexOutOfBounds exception may be thrown while processing events
Fix to handle ArrayIndexOutOfBounds exception while processing events
CDPD-49650: [7.1.9.x] - Add Oracle SSL support in ranger
Oracle SSL Connection support in ranger
CDPD-58569: Ranger - Upgrade Guava to 32.0.1 due to CVE-2023-2976
Upgrade Guava library version to 32.0.1
CDPD-52749: [7.1.9.x]- [Ranger][UserSync]Enumerate Groups will give error on executing 'getent group' command
Fix for Enumerate Groups will give error on executing 'getent group' command
CDPD-50368: [7.1.9]- Ranger - Upgrade snakeyaml due to CVE-2022-1471
Upgrade snakeyaml to 2.0
CDPD-50433: [7.1.9.x] - No policy found for given version in Ranger Audit page
Record policy data history during ranger upgrade
CDPD-49704: deleteUserGroupUtil.py fails to delete username with space
Allow deletion of users having space in username
CDPD-58493: Ranger - Upgrade Netty Project to 4.1.94.Final due CVE-2023-34462
Upgrade Netty Project to 4.1.94.Final
CDPD-56457: [7.1.9] - Ranger - Upgrade Nimbus-JOSE-JWT to 9.24 due to CVEs coming from json-smart
Upgrade Nimbus-JOSE-JWT to 9.31
CDPD-40385: Ranger RMS for Ozone
This is a new feature introduced in CDP 7.1.9. Ranger RMS will support authorization for Ozone storage locations. RMS for Ozone will co-exist with Hive-HDFS ACL sync and provide authorization for both HDFS and Ozone file systems.
CDPD-53830: [7.1.9.x] Add/ Update metric details for Ranger RMS
Add Metrics APIs for Ranger RMS
CDPD-50564: Add/ Update Additional metric details for Ranger RMS
Add Additional Metrics for Ranger RMS.
CDPD-55050: Support SELF_OR_PREFIX resource matching scope in Ranger Authorization
API to find whether a user/group/role is authorized to the given operation on any resource of give type
CDPD-50670: CLONE 7.1.9 - HA support for Ranger TagSync
This is a new feature which enables support for Ranger TagSync in HA(Active-Passive) mode.
CDPD-35034: [SDX/SaaS Migration] Utilities to migrate Ranger Service Tags
Utilities to migrate Ranger Service Tags
CDPD-47989: Ranger - Upgrade Netty to 4.1.86.Final due to CVE-2022-41881, CVE-2022-41915
Upgrade Netty to 4.1.86.Final
CDPD-49711: assignPermissionToUser in XUserMgr creates entries with NULL moduleId in x_user_module_perm
Fixed assignPermissionToUser in XUserMgr to correct the bug which assigns permissions for a module (which does not exist) to users with Auditor role.
CDPD-39208: Review and remove unused RDBMS tables used by Ranger admin service
Remove unused RDBMS tables used by Ranger admin service
CDPD-53805: Ozone_key tag based policies are not working
What was the Root Cause? Ozone qualified name parsing had a issue wherein '/' was getting included in the key name which resulted in wrong key matching while enforcing policy How was this Issue Resolved? Logic for parsing ozone qualified name changed such that '/' is not included in the key name which was causing issue previously.
CDPD-55572: shell script to export, transform, import of ranger Roles for ranger replication
Shell script to export, transform, import of ranger Roles for ranger replication
CDPD-43132: Allow roles, tagrest & xaudit Ranger Admin APIs via knox proxy
This fix allows access to ranger role, tagrest and xaudit ranger admin APIs from knox proxy.
CDPD-57018: Ranger - Upgrade aws-java-sdk to 1.12.367+
Upgrade aws-java-sdk to 1.12.481
CDPD-48119: Ranger - Upgrade OWASP Java HTML Sanitizer due to security CVEs
Upgrade OWASP Java HTML Sanitizer
CDPD-50588: [719 CLONE] - Update dependencies to support macOS aarch64 M1 (Apple Silicon) environment
Support ranger build on macOS aarch64 M1 (Apple Silicon) environment
OPSAPS-67025: CM changes for Key migration from KTS to RangerKMS
Migrating hadoop keys from Ranger KMS KTS database to Ranger KMS database
OPSAPS-67374: [7.1.9.x] Unable to locate appender KMS-AUDIT & KMS-METRICS error shown during Ranger KMS start task
Resolved log4j2 appender issues for Ranger KMS.
OPSAPS-65704: Alert or notification has to done when Solr is down resulting in audit pile up in spool directory
A health alert will be shown on Cloudera Manager for Ranger plugin supported services, when the used space of ranger plugin spool directory (local directory) is greater than the threshold value.
OPSAPS-65894: Support LunaClient 10.3 for Ranger KMS DB
New doc created for the Luna 10.5
CDPD-50726: [7.1.9.x]- Need to update Knox re-write rules to allow access to newer APIs introduced in Ranger
Update Knox re-write rules to allow access to newer APIs introduced in Ranger
CDPD-29102: Ranger - Remove log4j 1.x dependencies due to EOL
Log4j 1.x dependency is removed and upgraded to log4j2
CDPD-54698: [7.1.9.x] - Ranger - Upgrade Scala to 2.13.9 due to CVE-2022-36944
Upgrade scala to 2.13.9 as part of CVE fix
CDPD-55164: ranger policy replication transform step is not printing logs
Improve ranger policy replication transformation logs
CDPD-56462: [7.1.9] - Ranger - Upgrade BeanShell to 2.1b5 due to high CVEs
Upgrade BeanShell to 2.1b5 by upgrading testNG to 7.0.0
CDPD-56454: [7.1.9]- Ranger - Upgrade Apache Derby due to critical CVEs
Upgrade Apache Derby to 10.14.2.0
CDPD-56455: [7.1.9] - Ranger - Upgrade Spring LDAP to 2.4.1 due to high CVEs
Upgrade Spring LDAP to 2.4.1
CDPD-55920: Turning usersync debug logging on results in users not getting synced due to NPE
Fix NPE while logging debug messages
CDPD-46256: Ranger Audit metrics page broken in New UI
Fixed Audit metrics not loading in New UI
CDPD-48041: Ranger - Upgrade commons-net to 3.9.0 due to CVE-2021-37533
Upgrade commons-net to 3.9.0
CDPD-47900: Log4j2 support in Ranger
Log4j 1.x dependency is removed and upgraded to log4j2
CDPD-46233: knox plugin is not working
Knox service was failing when Audit metrics was enabled. Fix was done to handle the CNF error in knox ranger plugin which took care of this error
CDPD-53826: Ranger - Upgrade jettison to 1.5.4 due to CVE-2023-1436
Upgrade jettison to 1.5.4
CDPD-53804: Ranger - Upgrade Spring Framework to 5.3.26/6.0.7 due to CVE-2023-20861 and CVE-2023-20860
Upgrade Spring Framework to 5.3.27
CDPD-48032: Ranger - Upgrade jettison to 1.5.2 due to CVE-2022-45685 and CVE-2022-45693
Upgrade jettison to 1.5.2

Apache patch information

  • RANGER-4163
  • RANGER-4163
  • RANGER-4205
  • RANGER-3957
  • RANGER-4245
  • RANGER-4245
  • RANGER-4245
  • RANGER-3498
  • RANGER-3975
  • RANGER-4074
  • RANGER-4108
  • RANGER-4173
  • KNOX-2911
  • RANGER-4262
  • RANGER-3863
  • RANGER-4212
  • RANGER-4232
  • RANGER-4204
  • RANGER-4159
  • RANGER-3947
  • RANGER-4081
  • RANGER-4135
  • RANGER-4026
  • RANGER-4257
  • RANGER-4127
  • RANGER-4255
  • RANGER-4220
  • RANGER-4109
  • RANGER-4129
  • RANGER-4043
  • RANGER-4123
  • RANGER-3794
  • RANGER-4226
  • RANGER-4165
  • RANGER-4151
  • RANGER-4150
  • RANGER-4230
  • RANGER-4071
  • RANGER-3939
  • RANGER-4083
  • RANGER-4073