Known Issues in Apache Ranger
Learn about the known issues in Ranger, the impact or changes to the functionality, and the workaround.
- Ranger Tagsync does not support Ozone OFS paths / O3FS recursive feature not supported (Tag based access control behavior may not be as expected for ozone)
- There is no support for OFS path/O3FS recursive feature in 7.3.1. If upgrading from 7.1.9 SP1 CHF3 or higher, there will be a regression.
- CDPD-75532: Remove self node from the resourceTrie only if it has no children, no evaluators and no wildcard-evaluators
- When two policies have a common subset of resources and are defined on the same user (or subset of users, through groups or direct users), if one of these policies is modified (on anything: name, resource, user), it is the only one in effect during access evaluation, until a restart of the underlying service.
- CDPD-68806: The Revoke operation for users belonging to a group or role permission does not function as expected
- List command is listing all the tables even when the user permission is revoked. And also the command does not add any deny policy to Ranger for that specific user.
- CDPD-68739: The revoke command does not work when using the HBase shell
- While using the HBase shell, running the revoke command does not cancel the user permission. Users are able to perform actions even after running the revoke command.
- CDPD-67238: Multiple Columns Revoke not generating policies with correct number of columns
- As an example, when "revoke select(col1, col2,col3) on table demo.test from role Role3;" is done, the generated policy does not revoke the columns. Currently the revoke statement is only revoking if there is only one column.
- CDPD-60489: Jackson-dataformat-yaml 2.12.7 and Snakeyaml 2.0 are not compatible
- You must not use Jackson-dataformat-yaml through the platform for YAML parsing.
- CDPD-58704: hadoop roll key/key delete command shows operation failed error when one KMS host is down, even when operation succeeds
- In case of rollover/delete, client sends one more (last after delete request) request to KMS instances to clean their cache and that too to all registered kms instances. if one KMS instance is stopped (not deleted), the client gets a runtime exception.
- CDPD-56803: When there is no existing policy for user and a revoke request comes from hbase, then will get this error
- None.
- CDPD-56741: Improvement in log message when jwtauth not used
- None.
- CDPD-56738: Ranger RMS showing FileNotFoundException: /usr/share/java/oraclepki.jar in Oracle 19 setup
- This is a warning log printed in catalina.out file when Ranger RMS server is
initialized. The following exception is observed only in Oracle 19 setup:
FileNotFoundException: /usr/share/java/oraclepki.jar
- CDPD-55107: Not able to search using multiple user filter in access audit tab
- If you were using multiple user search filters in on Ranger Admin UI, after upgrading to CDP-7.1.9 that would not be supported. You can continue to search users with a single search filter.
- CDPD-48975: Ranger KMS KTS to KMS DB migration : keys with the same name but different case are not migrated
- KMS keys are not case sensitive.
- CDPD-42598: Kafka policy creation allowed with incorrect permissions
- When creating a Kafka policy from the UI, the permissions "Idempotent write"and "Cluster action" are not displayed as they are not applicable for the "topic" resource, but when creating a policy for the "topic" resource with the permissions "Idempotent write" and "Cluster Action", the policy is created successfully when the expected behaviour is that the policy creation must fail as the permission is not applicable for the Kafka topic resource.
- CDPD-41582: Atlas Resource Lookup : Classification for "entity-type" lists only classification for the following payload: {"resourceName": "classification", "userInput": "", "resources": {"classification": []}}]
- Expectation is to return all the classifications. But the response has only "classification". Happens similarly for entity-label, entity-business-metadata.
- CDPD-40734: User allowed to insert data into a hive table when there is a deny policy on a table column
- A user is allowed to enter data into a table even if there is a deny policy present on
one of the table columns.
The user is able to insert data into the table.