Known Issues in Apache Ranger

Learn about the known issues in Ranger, the impact or changes to the functionality, and the workaround.

Ranger Tagsync does not support Ozone OFS paths / O3FS recursive feature not supported (Tag based access control behavior may not be as expected for ozone)
There is no support for OFS path/O3FS recursive feature in 7.3.1. If upgrading from 7.1.9 SP1 CHF3 or higher, there will be a regression.
Wait for the next SP/CHF release 7.3.1 before upgrading.
CDPD-75532: Remove self node from the resourceTrie only if it has no children, no evaluators and no wildcard-evaluators
When two policies have a common subset of resources and are defined on the same user (or subset of users, through groups or direct users), if one of these policies is modified (on anything: name, resource, user), it is the only one in effect during access evaluation, until a restart of the underlying service.
Restart the plugin service whose policy is not being evaluated.
CDPD-68806: The Revoke operation for users belonging to a group or role permission does not function as expected
List command is listing all the tables even when the user permission is revoked. And also the command does not add any deny policy to Ranger for that specific user.
This behavior is currently not supported in HBase shell. Must be handled manually using the Ranger policy change.
CDPD-68739: The revoke command does not work when using the HBase shell
While using the HBase shell, running the revoke command does not cancel the user permission. Users are able to perform actions even after running the revoke command.
None.
CDPD-67238: Multiple Columns Revoke not generating policies with correct number of columns
As an example, when "revoke select(col1, col2,col3) on table demo.test from role Role3;" is done, the generated policy does not revoke the columns. Currently the revoke statement is only revoking if there is only one column.
None.
CDPD-60489: Jackson-dataformat-yaml 2.12.7 and Snakeyaml 2.0 are not compatible
You must not use Jackson-dataformat-yaml through the platform for YAML parsing.
CDPD-58704: hadoop roll key/key delete command shows operation failed error when one KMS host is down, even when operation succeeds
In case of rollover/delete, client sends one more (last after delete request) request to KMS instances to clean their cache and that too to all registered kms instances. if one KMS instance is stopped (not deleted), the client gets a runtime exception.
This simply returns the runtime exception on client end for stopped instances but doesn't break any functionality.
CDPD-56803: When there is no existing policy for user and a revoke request comes from hbase, then will get this error
None.
CDPD-56741: Improvement in log message when jwtauth not used
None.
CDPD-56738: Ranger RMS showing FileNotFoundException: /usr/share/java/oraclepki.jar in Oracle 19 setup
This is a warning log printed in catalina.out file when Ranger RMS server is initialized. The following exception is observed only in Oracle 19 setup: FileNotFoundException: /usr/share/java/oraclepki.jar
None.
CDPD-55107: Not able to search using multiple user filter in access audit tab
If you were using multiple user search filters in Audit > Access Tab on Ranger Admin UI, after upgrading to CDP-7.1.9 that would not be supported. You can continue to search users with a single search filter.
None.
CDPD-48975: Ranger KMS KTS to KMS DB migration : keys with the same name but different case are not migrated
KMS keys are not case sensitive.
No workaround. Such key combinations are very rare and the migration doc was updated to check such keys before starting the migration.
CDPD-42598: Kafka policy creation allowed with incorrect permissions
When creating a Kafka policy from the UI, the permissions "Idempotent write"and "Cluster action" are not displayed as they are not applicable for the "topic" resource, but when creating a policy for the "topic" resource with the permissions "Idempotent write" and "Cluster Action", the policy is created successfully when the expected behaviour is that the policy creation must fail as the permission is not applicable for the Kafka topic resource.
None.
CDPD-41582: Atlas Resource Lookup : Classification for "entity-type" lists only classification for the following payload: {"resourceName": "classification", "userInput": "", "resources": {"classification": []}}]
Expectation is to return all the classifications. But the response has only "classification". Happens similarly for entity-label, entity-business-metadata.
None.
CDPD-40734: User allowed to insert data into a hive table when there is a deny policy on a table column
A user is allowed to enter data into a table even if there is a deny policy present on one of the table columns.

The user is able to insert data into the table.

None.