Fixed Issues in Apache Ranger

Review the list of Ranger issues that are resolved in Cloudera Runtime 7.2.10.

CDPD-25609: Basic default audit filter.
Added default basic audit filters for yarn, kudu, s3, nifi, nifi-registry, and schema-registry components. This issue is resolved.
CDPD-25247: Zone tag policies are getting deleted when zone is updated.
Fixed the regression bug of deleting zone tag policies while updating zone. This issue is resolved.
CDPD-25725: Audit Page Improvement created is not correct.
This issue is resolved.
CDPD-25821: Ranger api calls through proxy hang indefinitely.
This is fixed as part of CDPD-25560 and CDPD-25957. Removed call to modify SolrJaasConfiguration class from ranger and set system property for knox jaas config app name in knox plugin. This issue is resolved.
CDPD-25957: Knox does not service requests, some of the clients receive 504 errors.
Added code during knox plugin initialization to set system property for knox jaas config app name. This issue is resolved.
CDPD-26332: Solr logs contain multiple NPE.
Added null check to audit event object before retrieving information. This issue is resolved.
CDPD-14423: Access audits page not loading.
Fixes Ranger's connection to Solr to pull audit events from Solr Service. Ranger was unable to fetch Audit events from solr after expiry of kerberos ticket. This issue is resolved.
CDPD-17944: Audit-to-cloud storage: minimize write calls.
Added ability to batch the cloud storage write calls. This issue is resolved.
CDPD-20524: Added a capability to specify audit filters from UI side.
This issue is resolved.
CDPD-22820: Handling of invalid usernames for usersync.
Added validation for user/group names to check for invalid characters in usersync before updating to ranger admin. This issue is resolved.
CDPD-23572: Ranger usersync does not synchronise groups.
Allow the setting to false and configure ranger.usersync.ldap.user.groupnameattribute=memberof. That way, usersync can sync the users based on the user search base and user search filter and use the "memberof" attribute of the user to sync all the groups each user belongs to. This issue is resolved.
CDPD-23579: Policy Item does not render in the report page.
This issue is resolved.
CDPD-23726: In place policy or tag updates are by defalut set to false to resolve performance issue.
This issue is resolved.
CDPD-24387: Ranger Audit framework change to handle UnsupportedOperationException while writing into S3AFileSystem with hflush api.
This issue is resolved.
OPSAPS-14423: Access audits page not loading.
Fixes Ranger's connection to Solr to pull audit events from Solr Service. Ranger was unable to fetch Audit events from solr after expiry of kerberos ticket. This issue is resolved.
OPSAPS-17016: Ranger KMS - Upgrade api-i18n due to CVE-2018-1337.
This issue is resolved.
OPSAPS-13664: RangerRazClient communicates with k5b for every request for populating headers.
Raz performance fix - using connection pool. This issue is resolved.
OPSAPS-13595: Reduce SSL handshake and krb negotiations from RangerRazClient --> Raz Server.
RAZ performance fix - Added Apache Http Client with connection pooling changes. This issue is resolved.
OPSAPS-17467: Upgrade Tomcat from 7.0.x line.
Tomcat is upgraded to 8.5.61. This issue is resolved.
OPSAPS-18273: Upgrade to TLS to version 1.2 and above.
Disabled TLS versions that are less than 1.2 for Ranger. This issue is resolved.
OPSAPS-19638: Thread contention inside AuditFilter.audit() while logging.
Auditing level changes to avoid thread contention due to high volume of auditing. This issue is resolved.
OPSAPS-21704: Ranger Auditor role (API compatibility).
Fixed access for servicedef GET API. This issue is resolved.
OPSAPS-21769: Embeded server max connection configurable.
RAZ performance fix - make connection parameters configurable. This issue is resolved.
OPSAPS-22201: NoClassDefFoundError in Atlas during ranger audit.
Fixed Atlas audit issue by adding right dependency. This issue is resolved.
OPSAPS-22353: Raz for adls is displaying exceptions while executing spark benchmarks.
RAZ performance fix - acceptCount parameter. This issue is resolved.
OPSAPS-23590: Incorrect message when user does nt have permission on the storage account.
Fixed the error message returned to have correct "Permission denied" message. This issue is resolved.
OPSAPS-23853: Ranger Raz client blocks waiting for Http connection due to connection leak.
Fixed RAZ client connection leak during failures causing Oozie to not able to get connections. This issue is resolved.
OPSAPS-23917: Unable to access bucket on 7.2.10 RAZ-S3 DL cluster.
Added null check when adding evaluators. This issue is resolved.
CDPD-16888: Ranger and Atlas services should have recommended heap size configured while deploying a cluster.
Default minimum heap size for Ranger services is now set as 1 GB and for Atlas 2GB. This issue is now resolved.
CDPD-16888: Solr client connection used for communication is not closed and this results in resource leak.
This issue is now resolved.
OPSAPS-58711: ODB cannot deploy against Datalake HA
This issue is now resolved.
CDPD-15401: When you enable Hive Metastore lookup in Ranger admin, resource lookup returns nothing and displays an error.
This issue is now resolved. You must use this step as a solution: sudo
 ln -s /opt/cloudera/parcels/*<CDH-version>*/jars/libfb303-0.9.3.jar
CDPD-14269 and CDPD-14289: Failed resource filtering in Ranger Policy Export.
Exporting tag policies result in a 204 error when the polResource query parameter is used.
CDPD-12848: When you try to create multiple policies using the API having same non-existing group, the group creation fails due to multiple threads trying to create the same group at once.
Separate threads are now created for retry group creation and checks if the group is previously created and associate it with policy.
CDPD-10072: Ranger Ozone plugin unable to write to solr audits in SSL enabled cluster
This issue is now resolved. A separate folder libext is added under the Ozone library path and all the ranger plugin jars are added under this new folder.
OPSAPS-57495: The Ranger role-level principal for Ranger Admin, Ranger Usersync, and Ranger Tagsync can now be customized from the Cloudera Manager UI.

Apache Patch Information

  • RANGER-3208
  • RANGER-3189
  • RANGER-3153
  • RANGER-3168
  • RANGER-3202
  • RANGER-3194
  • RANGER-3147
  • RANGER-3226
  • RANGER-3213
  • RANGER-3209
  • RANGER-3205
  • RANGER-3203
  • RANGER-3210
  • RANGER-3199
  • RANGER-3189
  • RANGER-3207
  • RANGER-3191
  • RANGER-3194
  • RANGER-3272
  • RANGER-3283
  • RANGER-3266
  • RANGER-3252
  • RANGER-3246
  • RANGER-3234
  • RANGER-3233
  • RANGER-3228
  • RANGER-3206
  • RANGER-3215
  • RANGER-3157
  • RANGER-3137