Fixed Issues in Ranger

Review the list of Ranger issues that are resolved in CDP Private Cloud Base 7.3.1.

CDPD-73663: RMS server threw ConcurrentModificationException
The original ConcurrentModificationException was likely thrown when the resource-mappings were modified in response to changes in the Hive metadata while they were being serialized for downloading to the NameNode (or secondary-namenode).
The fix is to create a shallow copy of resource-mappings before applying deltas which ensures that resource-mappings are not modified while they are being serialized for downloading to the NameNode.
CDPD-73326: Reduce memory needed to create Ranger policy engine
Ranger policy engine creates a RangerPolicyResourceMatcher object for every resource specified either in policy or in a tag association. PolicyResourceMatcher, for the services that have more than one level in their resource hierarchy, consists of RangerResourceMatcher objects for each level in the resource-level hierarchy for the resource. In many cases, this leads to creation of multiple RangerResourceMatchers with identical resource specification.

The fix for this issue avoids creation of multiple RangerResourceMatcher objects by maintaining a cache of them in the RangerPluginContext object associated with the Ranger policy engine, thereby reducing policy engine's memory needs.

CDPD-73144: Trie to support processing of evaluators during traversal
Ranger policy engine uses trie data structure to organize resources for faster retrieval of policies/tags/zones associated with a given resource. When a resource consists of multiple elements, like database/table/column, as many trie instances are consulted to retrieve policies/tags/zones associated with the resource. Such multi-trie retrieval can be optimized with a 2-pass traversal - first pass to get count and the second pass to get the actual objects. Trie data structure used in Ranger policy engine should be updated to support this optimization.

Now, Trie to support processing of evaluators during traversal is enhanced.

CDPD-72207: ll_service_id is empty for an invalid notification type
The fix corrects the query to fetch latestInvalidNotificationId even though ll_service_id is empty. This ensures that NameNode gets the appropriate delta's mappings.
CDPD-72203: Users observing role change from ROLE_SYS_ADMIN to ROLE_USER
Fixes role reset (to USER role) for users in usersync paged requests to ranger-admin.
CDPD-71719: Ranger override policy was not working
Ranger override policy was not allowing the access even though all permissions were given to the user.
This fix ensures that once all of the requested accesses are successfully allowed by (possibly multiple) Ranger policies, the access evaluation terminates with access allowed as the result.
CDPD-70081: "Drop database cascade" resulted in dropping of a table on which the user did not have access
Drop database cascade failed if the user did not have access to one or more of the underlying tables. It deleted the tables the user had access to but not others which caused the database to be not dropped as well.
This issue is fixed now.
CDPD-70003: Ranger KMS solr auditing fails when secure zk port 2182 is used
The fix includes the netty specific libs so that Ranger KMS to Solr supports ZooKeeper-SSL enabled connection.
CDPD-69488: Upgrade failure due to NPE in PatchForUpdatingServiceDefJson_J10058
Patch upgrade error failure in non-default service-def is fixed now.
CDPD-69305: /plugins/policies/importPoliciesFromFile API returns 500 service connectivity error through Knox Proxy
The fix imports large policy files using the Ranger importPoliciesFromFile API through Knox.
CDPD-68921: Exclude flag not taking effect for Ozone key resource in Ranger policy
Fix for exclude flag not taking effect for Ozone key resource in Ranger policy has been added.
CDPD-67823: Ranger RMS gives all permissions to the user through the Create permission
An additional check is now made to ensure that the user attempting to alter a HDFS directory that maps to the Hive database is owner of the Hive database for the attempted operation is allowed.
CDPD-67193: Issue with inactivityTimeout getting reset
The inactivityTimeout was getting reset when a user updated its profile from the UserProfile page.

Fixed issue of not resetting inactivityTimeout to a default value of 15 minutes when user updates its profile from UserProfile page on Ranger Admin UI.

CDPD-66927: HDFS authorization logic for directory hierarchy rooted at "/" is incorrect
Ranger authorization logic for the HDFS commands that require authorization of the entire directory hierarchy rooted at the specified directory argument is incorrect as it does not correctly compute the sub-directory paths. The paths of sub-directories that need to be authorized incorrectly contain an extra '/' character, which leads to incorrect authorization results.

The issue is fixed now.

CDPD-66842: Ranger Admin server gives empty response
Ranger Admin server gave an empty response when a user with user-role tried to update lastname or email address.

The issue is fixed now. Error response with message will be shown when a user with user-role tries to add/update last name or email address.

CDPD-66839: Enhance perf-tracer to get CPU time when possible
Ranger module is instrumented with performance measurement code. It enables performance logging for the module and helps in measuring the amount of time spent during execution of various methods/functions during its operation. For achieving more precise time measurement, this feature supports nanosecond precision when the JVM version supports it.
CDPD-66624: Transform URLs with or without “/” at the end issue
The fix enables the transformation step handle “/” at the end of the path.
CDPD-66404: Merging apache ranger jiras for handling local storage data for column show/hide functionality
Implemented Column Hide/Show functionality in Audit > Plugin Status tab.
CDPD-66358: HS2 logs having a huge number of WARN logs
HS2 logs had a huge number of WARN logs from RangerHiveAuthorizer regarding connection to HMS for fetching Hive object owner.

This fix addresses the issue where HS2 logs have a huge number of WARN logs.

CDPD-66136: Display of query information for Show databases/schemas command on Ranger Admin UI
In Ranger React UI, if the resource type for certain commands were logged as "null" in the audits, then in the access audits, the information of the query/operations performed would not be displayed.
This ticket addresses the issue and displays the query/operation information for access audits where the resource type was "null".
CDPD-66092: Ranger Javapatch failure even if service-defs do not exist in Ranger DB
Added support to upgrade non-default service-defs in Ranger.
CDPD-65923: Audit logs for Mask and Row policy does not show policy condition under policy item
The fix now shows policy conditions under policy items for Mask and Row policy Audit logs.
CDPD-65650: Pagination missing on the Ranger Admin - Plugin Status page
This fix offers the following:
  • Sorting works properly after this patch.
  • Pagination added.
CDPD-63747: Cache the results of access evaluation
This feature trades off more memory requirement against a potential faster evaluation of policies when chained-plugin (as when RMS is enabled) is configured for HDFS storage authorization. If the configuration parameter "ranger.plugin.hdfs.useResultCache" (default:false) is set to true, then the result of Hive policy authorization for a HDFS storage location is cached and is reused in subsequent accesses of that HDFS location.
OPSAPS-70838: Flink user should be add by default in ATLAS_HOOK topic policy in Ranger >> cm_kafka
The "flink" service user is granted publish access on the ATLAS_HOOK topic by default in the Kafka Ranger policy configuration.
OPSAPS-69411: Update AuthzMigrator GBN to point to latest non-expired GBN
Users will now be able to export sentry data only for given Hive objects (databases and tables and the respective URLs) by using the config "authorization.migration.export.migration_objects" during export.

Apache Patch information

  • RANGER-4973
  • RANGER-4972
  • RANGER-4960
  • RANGER-4933
  • RANGER-4912
  • RANGER-4905
  • RANGER-4893
  • RANGER-4833
  • RANGER-4823
  • RANGER-4819
  • RANGER-4818
  • RANGER-4802
  • RANGER-4799
  • RANGER-4798
  • RANGER-4797
  • RANGER-4796
  • RANGER-4791
  • RANGER-4786
  • RANGER-4782
  • RANGER-4781
  • RANGER-4780
  • RANGER-4774
  • RANGER-4767
  • RANGER-4753
  • RANGER-4747
  • RANGER-4745
  • RANGER-4737
  • RANGER-4729
  • RANGER-4722
  • RANGER-4720
  • RANGER-4718
  • RANGER-4717
  • RANGER-4710
  • RANGER-4699
  • RANGER-4698
  • RANGER-4690
  • RANGER-4689
  • RANGER-4688
  • RANGER-4681
  • RANGER-4673
  • RANGER-4668
  • RANGER-4653
  • RANGER-4641
  • RANGER-4611
  • RANGER-4609
  • RANGER-4607
  • RANGER-4598
  • RANGER-4597
  • RANGER-4596
  • RANGER-4595
  • RANGER-4594
  • RANGER-4593
  • RANGER-4591
  • RANGER-4590
  • RANGER-4589
  • RANGER-4588
  • RANGER-4586
  • RANGER-4578
  • RANGER-4577
  • RANGER-4576
  • RANGER-4575
  • RANGER-4574
  • RANGER-4573
  • RANGER-4568
  • RANGER-4555
  • RANGER-4554
  • RANGER-4553
  • RANGER-4552
  • RANGER-4551
  • RANGER-4550
  • RANGER-4549
  • RANGER-4548
  • RANGER-4547
  • RANGER-4546
  • RANGER-4545
  • RANGER-4544
  • RANGER-4532
  • RANGER-4515
  • RANGER-4513
  • RANGER-4492
  • RANGER-4370
  • RANGER-4303
  • RANGER-4278
  • RANGER-4261
  • RANGER-4229
  • RANGER-4221
  • RANGER-4172
  • RANGER-4010
  • RANGER-3805
  • RANGER-3772
  • RANGER-3759
  • RANGER-3745
  • RANGER-3657
  • RANGER-3182
  • RANGER-3174