Known Issues in Apache Ranger
Learn about the known issues in Ranger, the impact or changes to the functionality, and the workaround.
- CDPD-66092: Upgrade from CDP-7.1.8 to 7.1.9 fails, Ranger shows no policies at all, due to Java patches not being applied during upgrade. This causes rolling restart of services to fail.
-
Skip applying any of the following java patches NOT applicable to the underlying environment. In other words, do not apply patches for a service definition that does not appear in ranger database.
Table 1. Java Patches and Related Service Definitions Java patch Servic-definition PatchForHiveServiceDefUpdate_J10027.java Hive PatchForTagServiceDefUpdate_J10028.java Tag PatchForHBaseServiceDefUpdate_J10035.java HBase PatchForHdfsAddChainedPluginProvider_J10038.java HDFS PatchForHdfsRemoveChainedPluginProvider_J10039.java HDFS PatchForOzoneServiceDefUpdate_J10041.java Ozone PatchForOzoneServiceDefConfigUpdate_J10051.java Ozone PatchForOzoneServiceDefUpdate_J10057.java Ozone - CDPD-61050: When there are no roles defined in Ranger, creating ranger replication policy causes empty export roles file to be created which causes transform step to fail.
- If source Ranger has at least 1 role, then the issue does not appear. For this, you can create a dummy role on the source Ranger.
- CDPD-60489: Jackson-dataformat-yaml 2.12.7 and Snakeyaml 2.0 are not compatible.
- You must not use Jackson-dataformat-yaml through the platform for YAML parsing.
- CDPD-56803: When there is no existing policy for user and a revoke request comes from hbase, then will get this error.
-
hbase:001:0> revoke 'hrt_11' ERROR: org.apache.hadoop.hbase.coprocessor.CoprocessorException: HTTP 400 Error: processSecureRevokeRequest processing failed at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preRevoke(RangerAuthorizationCoprocessor.java:1309) at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preRevoke(RangerAuthorizationCoprocessor.java:1128) at org.apache.hadoop.hbase.master.MasterCoprocessorHost$162.call(MasterCoprocessorHost.java:1857) at org.apache.hadoop.hbase.master.MasterCoprocessorHost$162.call(MasterCoprocessorHost.java:1854) at org.apache.hadoop.hbase.coprocessor.CoprocessorHost$ObserverOperationWithoutResult.callObserver(CoprocessorHost.java:558) at org.apache.hadoop.hbase.coprocessor.CoprocessorHost.execOperation(CoprocessorHost.java:631) at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preRevoke(MasterCoprocessorHost.java:1854) at org.apache.hadoop.hbase.master.MasterRpcServices.revoke(MasterRpcServices.java:2740) at org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos$MasterService$2.callBlockingMethod(MasterProtos.java) at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:387) at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:139) at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:369) at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:349)
- CDPD-56741: Improvement in log message when jwtauth not used
- The following exception is printed at startup only and it is not cluttering logs:
- CDPD-56738: Ranger RMS showing FileNotFoundException: /usr/share/java/oraclepki.jar in Oracle 19 setup
- This is a warning log printed in catalina.out file when Ranger RMS server is initialised. Following exception is observed only in Oracle 19 setup. FileNotFoundException: /usr/share/java/oraclepki.jar
- CDPD-55107: Not able to search using muliple user filter in access audit tab
- If you were using multiple user search filters in Audit > Access Tab on Ranger Admin UI, after upgrading to CDP-7.1.9 that would not be supported. You can continue to search user with single search filter.
- CDPD-48975: Ranger KMS KTS to KMS DB migration : keys with the same name but different case are not migrated
- KMS keys are not case sensitive
- CDPD-58704: hadoop roll key / key delete command shows operation failed error when one KMS host is down, even when operation succeeds
- In case of rollover/delete, client sends one more (last after delete request) request to KMS instances to clean their cache and that too to all registered kms instances. if one KMS instance is stopped ( not deleted), client gets runtime exception.
- CDPD-41582: Atlas Resource Lookup : Classification for "entity-type" lists only classification for the following payload:
-
{"resourceName": "classification", "userInput": "", "resources": {"classification": []}}]
expectation is to return all the classifications . But the response has only "classification"Happens similarly for entity-label , entity-business-metadata.
- CDPD-42598: Kafka policy creation allowed with incorrect permissions.
-
When creating a Kafka policy from the UI, the permissions "Idempotent write"and "Cluster action" are not displayed as they are not applicable for the "topic" resource, but when creating a policy for the "topic" resource with the permissions "Idempotent write" and "Cluster Action", the policy is created successfully when the expected behaviour is that the policy creation must fail as the permission is not applicable for the Kafka topic resource
- CDPD-40734: User allowed to insert data into a hive table when there is a deny policy on a table column.
-
A user is allowed to enter data into a table even if there is a deny policy present on one of the table columns.
Test scenario details:Policy setup :- policy 1 :- all access policy for hrt_qa, hive and impala users resources - database - * , table - *, column - * users : hrt_qa, hive, impala access - all access allowed policy 2 :- policy on test_1.table_1 for hrt_5 users : hrt_5 resources : database - test_1, table - table_1, column - * access :- all access allowed policy 3 :- deny policy on test_1.table_1.c0 for hrt_5 users : hrt_5 resources : database - test_1, table - table_1, column - c0 access - all access denied data setup :- database - test_1 table - table_1(c0 int, c1 int)
The user is able to insert data into the table.
- CDPD-58860: After upgrading CDP-7.1.8 to CDP-7.1.9, cdp-proxy token missing from knox-ranger policy.
-
As part of OPSAPS-67480 in 719 default ranger policy is added from cdp-proxy-token topology, so that after a new installation of CDP-7.1.9, the knox-ranger policy includes cdp-proxy-token. However, upgrades do not add cdp-proxy-token to cm_knox policies automatically.
- CDPD-60633: User with user-role is revoked default 'Security Zone' module permission from Ranger Admin, will not be able to access policies on Ranger Admin UI
-
By default, user with user role has permission to 'Security Zone' module. If you have revoked the permission of a user with user role for 'Security Zone' module from Ranger Admin, then the policy listing page is stuck on loading.
- CDPD-61439: In Tag-based policy from Ranger Admin UI, Allow Conditions permissions item is not showing services permissions which have enableDenyAndExceptionsInPolicies flag false
-
Steps to reproduce :
- On Add New Policy. , click
- On +. , click
In enableDenyAndExceptionsInPolicies=false, do not appear listed:
; the following components, which have the option- elasticsearch
- kylin
- nifi-registry
- nifi
- sqoop
However, these service components should be shown in the Allow condition.