Fixed Issues in Ranger
Review the list of Ranger issues that are resolved in CDP Private Cloud Base 7.3.1.
- CDPD-73663: RMS server threw ConcurrentModificationException
- The original ConcurrentModificationException was likely thrown when the resource-mappings were modified in response to changes in the Hive metadata while they were being serialized for downloading to the NameNode (or secondary-namenode).
- CDPD-73326: Reduce memory needed to create Ranger policy engine
- Ranger policy engine creates a RangerPolicyResourceMatcher object for every
resource specified either in policy or in a tag association.
PolicyResourceMatcher, for the services that have more than one level in their
resource hierarchy, consists of RangerResourceMatcher objects for each level in
the resource-level hierarchy for the resource. In many cases, this leads to
creation of multiple RangerResourceMatchers with identical resource
specification.
The fix for this issue avoids creation of multiple RangerResourceMatcher objects by maintaining a cache of them in the RangerPluginContext object associated with the Ranger policy engine, thereby reducing policy engine's memory needs.
- CDPD-73144: Trie to support processing of evaluators during traversal
- Ranger policy engine uses trie data structure to organize resources for faster
retrieval of policies/tags/zones associated with a given resource. When a
resource consists of multiple elements, like database/table/column, as many trie
instances are consulted to retrieve policies/tags/zones associated with the
resource. Such multi-trie retrieval can be optimized with a 2-pass traversal -
first pass to get count and the second pass to get the actual objects. Trie data
structure used in Ranger policy engine should be updated to support this
optimization.
Now, Trie to support processing of evaluators during traversal is enhanced.
- CDPD-72207: ll_service_id is empty for an invalid notification type
- The fix corrects the query to fetch latestInvalidNotificationId even though ll_service_id is empty. This ensures that NameNode gets the appropriate delta's mappings.
- CDPD-72203: Users observing role change from ROLE_SYS_ADMIN to ROLE_USER
- Fixes role reset (to USER role) for users in usersync paged requests to ranger-admin.
- CDPD-71719: Ranger override policy was not working
- Ranger override policy was not allowing the access even though all permissions were given to the user.
- CDPD-70081: "Drop database cascade" resulted in dropping of a table on which the user did not have access
- Drop database cascade failed if the user did not have access to one or more of the underlying tables. It deleted the tables the user had access to but not others which caused the database to be not dropped as well.
- CDPD-70003: Ranger KMS solr auditing fails when secure zk port 2182 is used
- The fix includes the netty specific libs so that Ranger KMS to Solr supports ZooKeeper-SSL enabled connection.
- CDPD-69488: Upgrade failure due to NPE in PatchForUpdatingServiceDefJson_J10058
- Patch upgrade error failure in non-default service-def is fixed now.
- CDPD-69305: /plugins/policies/importPoliciesFromFile API returns 500 service connectivity error through Knox Proxy
- The fix imports large policy files using the Ranger importPoliciesFromFile API through Knox.
- CDPD-68921: Exclude flag not taking effect for Ozone key resource in Ranger policy
- Fix for exclude flag not taking effect for Ozone key resource in Ranger policy has been added.
- CDPD-67823: Ranger RMS gives all permissions to the user through the Create permission
- An additional check is now made to ensure that the user attempting to alter a HDFS directory that maps to the Hive database is owner of the Hive database for the attempted operation is allowed.
- CDPD-67193: Issue with inactivityTimeout getting reset
- The inactivityTimeout was getting reset when a user updated its profile from the
UserProfile page.
Fixed issue of not resetting inactivityTimeout to a default value of 15 minutes when user updates its profile from UserProfile page on Ranger Admin UI.
- CDPD-66927: HDFS authorization logic for directory hierarchy rooted at "/" is incorrect
- Ranger authorization logic for the HDFS commands that require authorization of
the entire directory hierarchy rooted at the specified directory argument is
incorrect as it does not correctly compute the sub-directory paths. The paths of
sub-directories that need to be authorized incorrectly contain an extra '/'
character, which leads to incorrect authorization results.
The issue is fixed now.
- CDPD-66842: Ranger Admin server gives empty response
- Ranger Admin server gave an empty response when a user with user-role tried to
update lastname or email address.
The issue is fixed now. Error response with message will be shown when a user with user-role tries to add/update last name or email address.
- CDPD-66839: Enhance perf-tracer to get CPU time when possible
- Ranger module is instrumented with performance measurement code. It enables performance logging for the module and helps in measuring the amount of time spent during execution of various methods/functions during its operation. For achieving more precise time measurement, this feature supports nanosecond precision when the JVM version supports it.
- CDPD-66624: Transform URLs with or without “/” at the end issue
- The fix enables the transformation step handle “/” at the end of the path.
- CDPD-66404: Merging apache ranger jiras for handling local storage data for column show/hide functionality
- Implemented Column Hide/Show functionality in tab.
- CDPD-66358: HS2 logs having a huge number of WARN logs
- HS2 logs had a huge number of WARN logs from RangerHiveAuthorizer regarding
connection to HMS for fetching Hive object owner.
This fix addresses the issue where HS2 logs have a huge number of WARN logs.
- CDPD-66136: Display of query information for Show databases/schemas command on Ranger Admin UI
- In Ranger React UI, if the resource type for certain commands were logged as "null" in the audits, then in the access audits, the information of the query/operations performed would not be displayed.
- CDPD-66092: Ranger Javapatch failure even if service-defs do not exist in Ranger DB
- Added support to upgrade non-default service-defs in Ranger.
- CDPD-65923: Audit logs for Mask and Row policy does not show policy condition under policy item
- The fix now shows policy conditions under policy items for Mask and Row policy Audit logs.
- CDPD-65650: Pagination missing on the Ranger Admin - Plugin Status page
- This fix offers the following:
- Sorting works properly after this patch.
- Pagination added.
- CDPD-63747: Cache the results of access evaluation
- This feature trades off more memory requirement against a potential faster evaluation of policies when chained-plugin (as when RMS is enabled) is configured for HDFS storage authorization. If the configuration parameter "ranger.plugin.hdfs.useResultCache" (default:false) is set to true, then the result of Hive policy authorization for a HDFS storage location is cached and is reused in subsequent accesses of that HDFS location.
- OPSAPS-70838: Flink user should be add by default in ATLAS_HOOK topic policy in Ranger >> cm_kafka
- The "flink" service user is granted publish access on the ATLAS_HOOK topic by default in the Kafka Ranger policy configuration.
- OPSAPS-69411: Update AuthzMigrator GBN to point to latest non-expired GBN
- Users will now be able to export sentry data only for given Hive objects (databases and tables and the respective URLs) by using the config "authorization.migration.export.migration_objects" during export.
Apache Patch information
- RANGER-4973
- RANGER-4972
- RANGER-4960
- RANGER-4933
- RANGER-4912
- RANGER-4905
- RANGER-4893
- RANGER-4833
- RANGER-4823
- RANGER-4819
- RANGER-4818
- RANGER-4802
- RANGER-4799
- RANGER-4798
- RANGER-4797
- RANGER-4796
- RANGER-4791
- RANGER-4786
- RANGER-4782
- RANGER-4781
- RANGER-4780
- RANGER-4774
- RANGER-4767
- RANGER-4753
- RANGER-4747
- RANGER-4745
- RANGER-4737
- RANGER-4729
- RANGER-4722
- RANGER-4720
- RANGER-4718
- RANGER-4717
- RANGER-4710
- RANGER-4699
- RANGER-4698
- RANGER-4690
- RANGER-4689
- RANGER-4688
- RANGER-4681
- RANGER-4673
- RANGER-4668
- RANGER-4653
- RANGER-4641
- RANGER-4611
- RANGER-4609
- RANGER-4607
- RANGER-4598
- RANGER-4597
- RANGER-4596
- RANGER-4595
- RANGER-4594
- RANGER-4593
- RANGER-4591
- RANGER-4590
- RANGER-4589
- RANGER-4588
- RANGER-4586
- RANGER-4578
- RANGER-4577
- RANGER-4576
- RANGER-4575
- RANGER-4574
- RANGER-4573
- RANGER-4568
- RANGER-4555
- RANGER-4554
- RANGER-4553
- RANGER-4552
- RANGER-4551
- RANGER-4550
- RANGER-4549
- RANGER-4548
- RANGER-4547
- RANGER-4546
- RANGER-4545
- RANGER-4544
- RANGER-4532
- RANGER-4515
- RANGER-4513
- RANGER-4492
- RANGER-4370
- RANGER-4303
- RANGER-4278
- RANGER-4261
- RANGER-4229
- RANGER-4221
- RANGER-4172
- RANGER-4010
- RANGER-3805
- RANGER-3772
- RANGER-3759
- RANGER-3745
- RANGER-3657
- RANGER-3182
- RANGER-3174