Known Issues in Apache Ranger

Learn about the known issues in Ranger, the impact or changes to the functionality, and the workaround.

CDPD-66092: Upgrade from CDP-7.1.8 to 7.1.9 fails, Ranger shows no policies at all, due to Java patches not being applied during upgrade. This causes rolling restart of services to fail.
Skip applying any of the following java patches NOT applicable to the underlying environment. In other words, do not apply patches for a service definition that does not appear in ranger database.
Table 1. Java Patches and Related Service Definitions
Java patch Servic-definition Hive Tag HBase HDFS HDFS Ozone Ozone Ozone
CDPD-61050: When there are no roles defined in Ranger, creating ranger replication policy causes empty export roles file to be created which causes transform step to fail.
If source Ranger has at least 1 role, then the issue does not appear. For this, you can create a dummy role on the source Ranger.
CDPD-60489: Jackson-dataformat-yaml 2.12.7 and Snakeyaml 2.0 are not compatible.
You must not use Jackson-dataformat-yaml through the platform for YAML parsing.
CDPD-56803: When there is no existing policy for user and a revoke request comes from hbase, then will get this error.
   hbase:001:0> revoke 'hrt_11'
 ERROR: org.apache.hadoop.hbase.coprocessor.CoprocessorException: HTTP 400 Error: processSecureRevokeRequest processing failed
	at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preRevoke(
	at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preRevoke(
	at org.apache.hadoop.hbase.master.MasterCoprocessorHost$
	at org.apache.hadoop.hbase.master.MasterCoprocessorHost$
	at org.apache.hadoop.hbase.coprocessor.CoprocessorHost$ObserverOperationWithoutResult.callObserver(
	at org.apache.hadoop.hbase.coprocessor.CoprocessorHost.execOperation(
	at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preRevoke(
	at org.apache.hadoop.hbase.master.MasterRpcServices.revoke(
	at org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos$MasterService$2.callBlockingMethod(
	at org.apache.hadoop.hbase.ipc.RpcExecutor$
	at org.apache.hadoop.hbase.ipc.RpcExecutor$
CDPD-56741: Improvement in log message when jwtauth not used
The following exception is printed at startup only and it is not cluttering logs:
2023-05-30 06:18:40,127 ERROR]: 
Failed to initialize Ranger RMS JWT Auth Filter.
java.lang.Exception: RangerJwtAuthHandler: 
Mandatory configs ('jwks.provider-url' & 'jwt.public-key') are missing, must provide atleast one.
at org.apache.ranger.authz.handler.jwt.RangerJwtAuthHandler.initialize( 
 at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
 at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImp
This exception is logged, since mandatory JWT auth filter configs are not provided (expected for some environments like y-cloud) Even though JWT auth filter is failed to initialised, it falls back to kerberos auth, hence no impact from auth perspective
CDPD-56738: Ranger RMS showing FileNotFoundException: /usr/share/java/oraclepki.jar in Oracle 19 setup
This is a warning log printed in catalina.out file when Ranger RMS server is initialised. Following exception is observed only in Oracle 19 setup. FileNotFoundException: /usr/share/java/oraclepki.jar
CDPD-55107: Not able to search using muliple user filter in access audit tab
If you were using multiple user search filters in Audit > Access Tab on Ranger Admin UI, after upgrading to CDP-7.1.9 that would not be supported. You can continue to search user with single search filter.
CDPD-48975: Ranger KMS KTS to KMS DB migration : keys with the same name but different case are not migrated
KMS keys are not case sensitive
No work arounds. Such keys combination are very rare and migration doc was updated to check such keys before starting the migration.
CDPD-58704: hadoop roll key / key delete command shows operation failed error when one KMS host is down, even when operation succeeds
In case of rollover/delete, client sends one more (last after delete request) request to KMS instances to clean their cache and that too to all registered kms instances. if one KMS instance is stopped ( not deleted), client gets runtime exception.
This simply returns the runtime exception on client end for stopped instances but doesn't break any functionality.
CDPD-41582: Atlas Resource Lookup : Classification for "entity-type" lists only classification for the following payload:

{"resourceName": "classification", "userInput": "", "resources": {"classification": []}}]

expectation is to return all the classifications . But the response has only "classification"Happens similarly for entity-label , entity-business-metadata.

CDPD-42598: Kafka policy creation allowed with incorrect permissions.

When creating a Kafka policy from the UI, the permissions "Idempotent write"and "Cluster action" are not displayed as they are not applicable for the "topic" resource, but when creating a policy for the "topic" resource with the permissions "Idempotent write" and "Cluster Action", the policy is created successfully when the expected behaviour is that the policy creation must fail as the permission is not applicable for the Kafka topic resource

CDPD-40734: User allowed to insert data into a hive table when there is a deny policy on a table column.

A user is allowed to enter data into a table even if there is a deny policy present on one of the table columns.

Test scenario details:
Policy setup :-
policy 1 :- all access policy for hrt_qa, hive and impala users
 resources - database - * , table - *, column - *
 users : hrt_qa, hive, impala
 access - all access allowed
policy 2 :- policy on test_1.table_1 for hrt_5
 users : hrt_5
 resources : database - test_1, table - table_1, column - *
 access :- all access allowed
policy 3 :- deny policy on test_1.table_1.c0 for hrt_5
 users : hrt_5
 resources : database - test_1, table - table_1, column - c0
 access - all access denied
data setup :-
database - test_1
table - table_1(c0 int, c1 int)

The user is able to insert data into the table.

CDPD-58860: After upgrading CDP-7.1.8 to CDP-7.1.9, cdp-proxy token missing from knox-ranger policy.

As part of OPSAPS-67480 in 719 default ranger policy is added from cdp-proxy-token topology, so that after a new installation of CDP-7.1.9, the knox-ranger policy includes cdp-proxy-token. However, upgrades do not add cdp-proxy-token to cm_knox policies automatically.

Manually add cdp-proxy-token to the knox policy, using Ranger Admin Web UI.
  1. Log in to Cloudera Manager > Ranger > Ranger Admin Web UI, as a Ranger administrator.
  2. On Ranger Admin Web UI > Service Manager > Resource > Knox, click cm_knox.
  3. In Knox Policies, open the CDP Proxy UI, API and Token policy.
  4. In Knox Topology*, add cdp-proxy-token.
  5. Click Save.
  6. Restart Ranger.
CDPD-60633: User with user-role is revoked default 'Security Zone' module permission from Ranger Admin, will not be able to access policies on Ranger Admin UI

By default, user with user role has permission to 'Security Zone' module. If you have revoked the permission of a user with user role for 'Security Zone' module from Ranger Admin, then the policy listing page is stuck on loading.

As a Ranger Administrator user, edit the User and Group permissions for Security Zone by adding the user with user-role to the Security Zone, as follows:
  1. Log in to Cloudera Manager > Ranger > Ranger Admin Web UI, as a Ranger administrator.
  2. On Ranger Admin Web UI > Settings > Permissions > Security Zone, click Edit.
  3. On Edit Permission > User and Group Permissions > Select and Add User:
    1. Click Select Users.
    2. Choose {User}.
    3. Click +.
    4. Click Save.
    5. Log out and log in again with the added user.

If you have a restriction to not give the permission to the user, then there is an alternate workaround to switch to Ranger Admin using Backbone JS where the user with restricted 'Security Zone' module permission can access policies.

  1. Login to Ranger Admin Web UI.
  2. On Ranger Admin Web UI > User Profile menu, click Backbone Classic UI.

You will be redirected to the old Ranger Admin UI where you can access policies.

CDPD-61439: In Tag-based policy from Ranger Admin UI, Allow Conditions permissions item is not showing services permissions which have enableDenyAndExceptionsInPolicies flag false

Steps to reproduce :

  1. On Ranger Admin Web UI > Service Manager > Tag Policies > Access tab, click Add New Policy.
  2. On Create Policy > Allow Conditions > (component) Permissions, click +.

In Component Permissions > Select Component; the following components, which have the option enableDenyAndExceptionsInPolicies=false, do not appear listed:

  • elasticsearch
  • kylin
  • nifi-registry
  • nifi
  • sqoop

However, these service components should be shown in the Allow condition.

Use the classic UI, as follows:
  1. Log in to Cloudera Manager > Ranger > Ranger Admin Web UI, as a Ranger administrator.
  2. On Ranger Admin Web UI > User Profile menu, click Backbone Classic UI.
  3. Go to Access Manager > Tag Based Policies > Access > Add New Policy.
  4. In Allow Conditions > Component Permissions, click +.

All components for which enableDenyAndExceptionsInPolicies=false, appear listed.