- OPSAPS-75673: Wrong enablement of Ranger RMS Database Full Sync command
- 7.1.8, 7.1.9, 7.1.9 SP1, 7.2.18, 7.3.1
- The Ranger RMS Database Full Sync command should be enabled
only when all RMS server instances are stopped. This is required to ensure that the
RMS database synchronizes correctly without introducing conflicts or data corruption.
However, when HA (High Availability) is enabled on the cluster, the command becomes
available from drop-down, even though only one Ranger RMS instance is stopped while
the others are still running.
- None.
- UnsupportedClassVersionError
- 7.1.9, 7.1.9 SP1, 7.3.1
- JDK 8 deployments support Nashorn JavaScript engine, which is built-in and fully
compatible, whereas JDK 17 deployments support GraalJS script engine due to
unavailability of Nashorn.
When your cluster supports both JDK 8 and JDK 17, then
while a Java application, running on JDK 8, uses generic interfaces like
ScriptEngine (from the javax.script package), the ScriptEngineManager class scans
the classpath for available script engine implementations through the service
provider mechanism, and detects the GraalJS as a provider for JavaScript, because in
this case the GraalJS library (version 22.3.0) is also included on the classpath.
The ScriptEngineManager then attempts to instantiate it, when requesting a "js" or
"javascript" engine, and triggers an UnsupportedClassVersionError.
- Remove the GraalJS library from the classpath.
- Ranger Tagsync does not support Ozone OFS paths / O3FS
recursive feature not supported (Tag based access control behavior may not be as
expected for ozone)
- 7.3.1
- 7.3.1.100
- There is no support for OFS path/O3FS recursive feature in
7.3.1. If upgrading from 7.1.9 SP1 CHF3 or higher, there will be a regression.
- Wait for the next SP/CHF release 7.3.1 before
upgrading.
- CDPD-75532: Remove self node from the resourceTrie only if it
has no children, no evaluators and no wildcard-evaluators
- 7.1.9 CHF3, 7.1.9 SP1, 7.3.1
- 7.1.9 SP1 CHF4, 7.3.1.100
- When two policies have a common subset of resources and are
defined on the same user (or subset of users, through groups or direct users), if one
of these policies is modified (on anything: name, resource, user), it is the only one
in effect during access evaluation, until a restart of the underlying service.
- Restart the plugin service whose policy is not being
evaluated.
- CDPD-68806: The Revoke operation for users belonging to a
group or role permission does not function as expected
- 7.1.9 SP1, 7.3.1
- List command is listing all the tables even when the user
permission is revoked. And also the command does not add any deny policy to Ranger for
that specific user.
- This behavior is currently not supported in HBase shell.
Must be handled manually using the Ranger policy change.
- CDPD-68739: The revoke command does not work when using the
HBase shell
- 7.1.9 SP1, 7.3.1
- While using the HBase shell, running the revoke command does
not cancel the user permission. Users are able to perform actions even after running
the revoke command.
- None.
- CDPD-58704: hadoop roll key/key delete command shows operation
failed error when one KMS host is down, even when operation succeeds
- 7.1.9, 7.1.9 SP1, 7.3.1
- In case of rollover/delete, client sends one more (last after
delete request) request to KMS instances to clean their cache and that too to all
registered kms instances. if one KMS instance is stopped (not deleted), the client
gets a runtime exception.
- This simply returns the runtime exception on client end
for stopped instances but doesn't break any functionality.
- CDPD-56803: When there is no existing policy for user and a
revoke request comes from hbase, then will get this error
- 7.1.9, 7.1.9 SP1, 7.3.1
- None.
- CDPD-56741: Improvement in log message when jwtauth not
used
- 7.1.9, 7.1.9 SP1, 7.3.1
- None.
- CDPD-56738: Ranger RMS showing FileNotFoundException:
/usr/share/java/oraclepki.jar in Oracle 19 setup
- 7.1.9, 7.1.9 SP1, 7.3.1
- This is a warning log printed in catalina.out file when Ranger
RMS server is initialized. The following exception is observed only in Oracle 19
setup:
FileNotFoundException: /usr/share/java/oraclepki.jar
- None.
- CDPD-55107: Not able to search using multiple user filter in
access audit tab
- 7.1.9
- 7.1.9 CHF2, 7.2.18
- If you were using multiple user search filters in on Ranger Admin UI, after upgrading to Cloudera Runtime 7.1.9 that would not be supported. You can continue to search users with a single
search filter.
- None.
- CDPD-48975: Ranger KMS KTS to KMS DB migration : keys with the
same name but different case are not migrated
- 7.1.9, 7.1.9 SP1, 7.3.1
- KMS keys are not case sensitive.
- No workaround. Such key combinations are very rare and
the migration doc was updated to check such keys before starting the migration.
- CDPD-42598: Kafka policy creation allowed with incorrect
permissions
- 7.1.8, 7.1.9, 7.1.9 SP1, 7.3.1
- When creating a Kafka policy from the UI, the permissions
"Idempotent write"and "Cluster action" are not displayed as they are not applicable
for the "topic" resource, but when creating a policy for the "topic" resource with the
permissions "Idempotent write" and "Cluster Action", the policy is created
successfully when the expected behaviour is that the policy creation must fail as the
permission is not applicable for the Kafka topic resource.
- None.
- CDPD-41582: Atlas Resource Lookup : Classification for
"entity-type" lists only classification for the following payload: {"resourceName":
"classification", "userInput": "", "resources": {"classification": []}}]
- 7.1.8, 7.1.9, 7.1.9 SP1, 7.2.16, 7.2.17, 7.2.18, 7.3.1
- Expectation is to return all the classifications. But the
response has only "classification". Happens similarly for entity-label,
entity-business-metadata.
- None.
- CDPD-40734: User allowed to insert data into a hive table when
there is a deny policy on a table column
- 7.1.8, 7.1.9, 7.1.9 SP1, 7.3.1
- 7.3.1.200
- A user is allowed to enter data into a table even if there is
a deny policy present on one of the table columns.
The user is able to
insert data into the table.
- None.
