Cloudera Docs

Behavioral Changes in Ranger

Behavioral changes denote a marked change in behavior from the previously released version to this version of Apache Ranger.

Behavioral Changes in Cloudera Runtime 7.3.1.400 SP2

There are no behavioral changes in this release.

Behavioral Changes in Cloudera Runtime 7.3.1.300 SP1 CHF 1

There are no behavioral changes in this release.

Behavioral Changes in Cloudera Runtime 7.3.1.200 SP1

There are no behavioral changes in this release.

Behavioral Changes in Cloudera Runtime 7.3.1.100 CHF 1

Summary: Hive authorization from Ranger for Alter Table Rename command does not require CREATE database permission on the database where the renamed table will be created.
Previous behavior:

In releases earlier than 7.3.1.100, whenever Alter Table Rename command was used across databases in Hive, authorization from Ranger required CREATE database permission for the user on the target database in which the renamed table was created.

New behavior:

In 7.3.1 CHF1 and later releases, whenever Alter Table Rename command is used across databases in Hive, authorization from Ranger does not check for CREATE database permission for the user on the target database in which the renamed table will be created.

Behavioral Changes in Cloudera Runtime 7.3.1

Summary: Ranger access audit behavior changes.
Previous behavior:
When you ran hdfs dfs -copyFromLocal command, audit logs were generated for the following:
  • "write" Access Type and "write" permission.
  • "rename" Access Type and "write" permission.
  • "rename" Access Type and "write" permission.
When you ran hdfs dfs -touch command, audit log was generated for the following:
  • "write" Access Type and "write" permission.
New behavior:
When you run hdfs dfs -copyFromLocal command, audit logs are generated for the following:
  • "create" Access Type and "write" permission.
  • "rename" Access Type and "write" permission.
When you run hdfs dfs -touch command, audit log is generated for the following:
  • "create" Access Type and "write" permission.
Summary: Storagehandler authorisation has to be enabled for Ranger by setting the property "hive.security.authorization.tables.on.storagehandlers" to True in hive-site.xml file in HiveServer2 service.
Previous behavior:
This property was set to true by default.
New behavior:
In Data Hub, you configure hive.security.authorization.tables.on.storagehandlers = true to enable authorization of StorageHandler-based tables:
  1. In Cloudera Manager, click Clusters > Hive > Configurations, and search for hive.security.authorization.tables.on.storagehandlers.
  2. Set the value to true.
  3. Save changes.