Ozone

This topic describes known issues and workarounds for using Ozone in this release of Cloudera Runtime.

A user with ALL Access in Ranger cannot list volumes created by other users

When ozone.acl.enabled=True and ozone.administrators are defined, ACL checks such as volume create and list volume are not sent to the configured authorizer plug-in such as Ranger or NativeOzoneAuthorizer; instead, they are based on the Ozone Manager's ozone.administrators configuration.

As a result, if you set the authorizer policy to allow certain user to create or list volumes, the request is not honored.

Workaround: Ensure that admin operations such as create volume and list all volumes are allowed only for those users defined in the ozone.administrators configuration.
Cloudera JIRA: CDPD-12096
The Recon web user interface shows incomplete information about Ozone volumes, buckets, and keys

In a secure cluster with High Availability for Ozone Manager enabled, if Recon is not configured with the correct server principal of the Ozone Manager, it cannot receive updates from Ozone Manager on a regular basis. Therefore, the Recon web user interface shows incomplete information about volumes, buckets, and keys.

Workaround: Add the following Recon configuration property using the Ozone Recon Advanced Configuration Snippet (Safety Valve) for ozone-conf/ozone-site.xml configuration parameter from Cloudera Manager: ozone.om.kerberos.principal=<comma separated list of all the Ozone Manager principals configured for the cluster>.