Behavioral Changes in Ranger

Behavioral changes denote a marked change in behavior from the previously released version to this version of Apache Ranger.

Summary: Ranger access audit behavior changes.
Previous behavior:
When you ran hdfs dfs -copyFromLocal command, audit logs were generated for the following:
  • "write" Access Type and "write" permission.
  • "rename" Access Type and "write" permission.
  • "rename" Access Type and "write" permission.
When you ran hdfs dfs -touch command, audit log was generated for the following:
  • "write" Access Type and "write" permission.
New behavior:
When you run hdfs dfs -copyFromLocal command, audit logs are generated for the following:
  • "create" Access Type and "write" permission.
  • "rename" Access Type and "write" permission.
When you run hdfs dfs -touch command, audit log is generated for the following:
  • "create" Access Type and "write" permission.
Summary: Storagehandler authorisation has to be enabled for Ranger by setting the property "hive.security.authorization.tables.on.storagehandlers" to True in hive-site.xml file in HiveServer2 service.
Previous behavior:
This property was set to true by default.
New behavior:
In Data Hub, you configure hive.security.authorization.tables.on.storagehandlers = true to enable authorization of StorageHandler-based tables:
  1. In Cloudera Manager, click Clusters > Hive > Configurations, and search for hive.security.authorization.tables.on.storagehandlers.
  2. Set the value to true.
  3. Save changes.