Cloudera Docs

Behavioral Changes in Ranger

Behavioral changes denote a marked change in behavior from the previously released version to this version of Apache Ranger.

Behavioral Changes in Cloudera Runtime 7.3.1.500 SP3

There are no behavioral changes in this release.

Behavioral Changes in Cloudera Runtime 7.3.1.300 SP1 CHF 1

There are no behavioral changes in this release.

Behavioral Changes in Cloudera Runtime 7.3.1.200 SP1

There are no behavioral changes in this release.

Behavioral Changes in Cloudera Runtime 7.3.1.100 CHF 1

Summary: Hive authorization from Ranger for Alter Table Rename command does not require CREATE database permission on the database where the renamed table will be created.
Previous behavior:

In releases earlier than 7.3.1.100, whenever Alter Table Rename command was used across databases in Hive, authorization from Ranger required CREATE database permission for the user on the target database in which the renamed table was created.

New behavior:

In 7.3.1 CHF1 and later releases, whenever Alter Table Rename command is used across databases in Hive, authorization from Ranger does not check for CREATE database permission for the user on the target database in which the renamed table will be created.

Behavioral Changes in Cloudera Runtime 7.3.1

Summary: Policy resources in the Ranger Admin UI are being added using React JS instead of Backbone JS
Previous behavior:

Earlier with Backbone JS, when you copied and pasted resource values containing commas or spaces (for example, in Hive policy resources: database1, database2), the UI automatically split them into separate values — database1 and database2. The same behaviour applied to space-separated values. Because of this, you were not allowed to enter resource names containing commas and spaces, and this limitation affected all service policy resources.

New behavior:

After upgrading from Backbone JS to React JS, this restriction has been removed. Now, React JS treats pasted values with commas or spaces as a single entry. Hence, you can no longer paste multiple values at once; you must manually add each resource value.

Summary: Ranger access audit behavior changes.
Previous behavior:
When you ran hdfs dfs -copyFromLocal command, audit logs were generated for the following:
  • "write" Access Type and "write" permission.
  • "rename" Access Type and "write" permission.
  • "rename" Access Type and "write" permission.
When you ran hdfs dfs -touch command, audit log was generated for the following:
  • "write" Access Type and "write" permission.
New behavior:
When you run hdfs dfs -copyFromLocal command, audit logs are generated for the following:
  • "create" Access Type and "write" permission.
  • "rename" Access Type and "write" permission.
When you run hdfs dfs -touch command, audit log is generated for the following:
  • "create" Access Type and "write" permission.
Summary: Storagehandler authorisation has to be enabled for Ranger by setting the property "hive.security.authorization.tables.on.storagehandlers" to True in hive-site.xml file in HiveServer2 service.
Previous behavior:
This property was set to true by default.
New behavior:
In Data Hub, you configure hive.security.authorization.tables.on.storagehandlers = true to enable authorization of StorageHandler-based tables:
  1. In Cloudera Manager, click Clusters > Hive > Configurations, and search for hive.security.authorization.tables.on.storagehandlers.
  2. Set the value to true.
  3. Save changes.