Fixed Issues in Apache Ranger
Review the list of Ranger issues that are resolved in Cloudera Runtime 7.2.16.
- CDPD-46781: Improve validation of condition expressions used in Ranger policies.
- CDPD-46408: Upgrade spring security version to 5.7.5 as part of CVE fix.
- CDPD-46309: Raz authorization for S3 and ALDS also will have audit metrics now. Issue here was wrong configuration prefix was sent and that resulted in not getting the right configuration values for authorization throughput metrics to be created.
- CDPD-46256: Fixed Audit metrics not loading in new UI.
- CDPD-46243: RAZ environment was failing to come up because of Audit metrics Initiation error. This was fixed on the RAZ.
- CDPD-46233: Knox service was failing when Audit metrics was enabled. Fix was done to handle the CNF error in knox ranger plugin which took care of this error.
- CDPD-45975: Audit metrics graphs were failing at the JPA level as different flavors of Database supported different predefined function. Fix is to use standard function which works across different databases.
- CDPD-45874: Audit metric API issue is fixed by correcting the failing jpa query.
- CDPD-45680: Replace log4j 1 with reload4j to fix the Log4j-1 EOL issue.
- CDPD-45254:.env variables should be set before running docker-compose up.
- CDPD-45116: Ranger admin user should able to change another user email after the upgrade.
- CDPD-44810: updated resource signature of policy after modification of security zone name.
- CDPD-44694: Change sync_source column datatype from varchar to text.
- CDPD-44675: fixed url validation.
- CDPD-44666: Policies that are maintained for the roles are not considered in the Ranger Policy reports and hence the report is not accurate. This fix is to generated the correct report.
- CDPD-43941: Python client to test performance of CRUD operations on Ranger policy REST APIs.
- CDPD-43873: Added validation for Validity Scheduler.
- CDPD-43822: service creator user should able to create user of the ranger default policies.
- CDPD-43792: The patch fixes the runtime complexity of ranger upgrade under heavy load(large no. of users and groups).
- CDPD-43771: Improves the running time of java patch 55.
- CDPD-43751: Improve java patch J10056 execution time while updating the large number of users.
- CDPD-43465: Upgrade aws-java-sdk to 1.12.261 and azure-storage-blob to 12.18.0.
- CDPD-43412: Fix ranger install script failure in python 3 env.
- CDPD-42752: There is a change in external user 'status' (i.e x_portal_user tables column) which are getting synced into ranger admin, default ‘status’ value of synced users are getting set as 0(disabled) which was not the case in 7.1.4 This is the behaviour change between 7.1.4 and later versions.
- Added change to mark external users status as enable(1). Written a java patch to update the status of existing external users.
- CDPD-42607: Incremental Sync config parameter is read from config with the fix.
- CDPD-41280: Fix Java patch J10033 and J10046 failure during ranger upgrade.
- CDPD-41200: Show the alert only once if the resource lookup fails.
- CDPD-41153: Updating the service config during upgrade which has unsupported access types e.g - others, solr_admin.
- CDPD-40961: Opensearch Support on Ranger Admin.
- CDPD-40268: 1. Fixed infinite loop in filtering out Ancestor resources 2. Filter out default-db from the mapped Hive resource if any other resource is also mapped. 3. Checking all mapped hive resources for access permissions 4. Added a config flag - ranger-rms.enable.database.sync (default true). If true, database level sync is enabled 5. Fixed ALTER_TABLE notification event processing 6. Added more debug messages to ChainedPlugin
- CDPD-39931: Remove duplicate access types entries during the ranger policy creation.
- CDPD-39803: Authmigrator Utility should not print irrelevant error messages.
- CDPD-39594: Improved performance on the HBaseAuthorization request.
- CDPD-39588: Exclude tag policies while transforming ranger policies through ranger policymigration module.
- CDPD-39413: Print the skipped policy count while importing ranger policies through Sentry AuthMigrator tool.
- CDPD-39412: Print the skipped policy count while importing ranger policies from the Sentry AuthMigrator tool.
- CDPD-39360: Fix the serviceType ID and serviceType mapping of kafka in the ranger policymigration module.
- CDPD-39359: Replace ElasticSearch to OpenSearch 1.3.2 in Ranger due to CVE. ElasticSearch cannot be upgraded due to Licensing issue hence it is replaced with OpenSearch 1.3.2.
- CDPD-39594: Add python3 support in ranger install scripts.
- CDPD-39319: Fix NullPointerException in get service REST call.
- CDPD-39317: Updated atlas default audit filter to avoid auditing for atlas read-entity by nifi service user.
- CDPD-39232: Hive table owner who create the tables full privilege.
- CDPD-39208: Remove unused RDBMS tables used by Ranger admin service.
- CDPD-39095: This JIRA is to verify Kafka Ranger plugin works correctly after upgrade of Kafka version to 3.1.
- CDPD-35865: There is a change in external user 'status' (i.e x_portal_user tables column) which are getting synced into ranger admin, default ‘status’ value of synced users are getting set as 0(disabled) which was not the case in 7.1.4 This is the behaviour change between 7.1.4 and later versions.
- Added change to mark external users status as enable(1). Written a java patch to update the status of existing external users.
- CDPD-35628: If RangerRMS cannot renew it's ticket cache due to a KDC communication problem then it will not retry it and we'll see periodic "No ticket found in the cache" error messages. If that happens, then it won't have a valid Kerberos ticket it will not be able to communicate with other services, like HMS.
- CDPD-35447: Added Ranger Support on Datahub HDFS.
- CDPD-33606: Upgraded the Kylin version
- CDPD-25938: As part of this change we have removed one policy item from storage policy with rangerlookup user which has unused access type.
- CDPD-20527: Added API Documentation in the user profile drop-down. Click on that it opens a new window and loads swagger UI.
- OPSAPS-62307: Ranger configurations now expose a safety-valve for authorization-migration-site.xml to allow users to configure required properties for custom configuration of properties which user can configure during migration of policies from Sentry to Ranger.
- OPSAPS-62954: After the fix the default policies created in Ranger Admin should contain the actual configured service users and principal.
- OPSAPS-63953: Removed default value JAVA_HOME variable and gave freedom to users to export the variable from their side. If not set users will see an error/notification to set the JAVA_HOME variable.
- OPSAPS-64271: Ranger configurations now expose a safety-valve for authorization-migration-site.xml to allow users to configure required properties for custom configuration of properties which user can configure during migration of policies from Sentry to Ranger.
Technical Service Bulletins
- TSB 2023-644: Microsoft Azure parent directory deletion
- For the latest update on this issue, see the corresponding Knowledge Base article: TSB 2023-644: Microsoft Azure parent directory deletion.
Apache Patch Information
- CDPD-41188 : RANGER-3905
- CDPD-43934 : RANGER-3907
- Revert "RANGER-3840
- RANGER-3840
- Revert "RANGER-3768
- CDPD-41324: RANGER-3807
- RANGER-3790
- RANGER-3779
- RANGER-3768
- RANGER-3765
- RANGER-3763
- RANGER-3764
- CDPD-40486: Incorrect merging of RANGER-3548
- RANGER-3744
- RANGER-3736
- CDPD-39772: Backport RANGER-3717 RANGER-3299 RANGER-3716 RANGER-3732
- RANGER-3687
- RANGER-3211
- RANGER-3698
- RANGER-3389
- RANGER-2759
- RANGER-3784
- RANGER-3593
- RANGER-3780
- RANGER-3600
- RANGER-3752
- RANGER-3782
- RANGER-3735
- RANGER-3797
- RANGER-3793
- RANGER-3693
- RANGER-3795
- RANGER-3829
- RANGER-3861
- RANGER-3931
- RANGER-3857
- RANGER-3887
- RANGER-3888
- RANGER-3959
- RANGER-3960
- RANGER-3957
- RANGER-3956
- RANGER-3932
- RANGER-3914
- RANGER-3916
- RANGER-3912
- RANGER-3852
- RANGER-3886
- RANGER-3854
- RANGER-3735
- RANGER-3725