Cloudera Docs

Fixed Issues in Apache Ranger

Review the list of Ranger issues that are resolved in Cloudera Runtime 7.2.17.

CDPD-56554: [7.2.17 CLONE] - Turning usersync debug logging on results in users not getting synced due to NPE
Fix NPE while logging debug messages
CDPD-56213: Fix sql patch 65 syntax issue for oracle db
Fix sql patch 65 syntax issue for oracle db
CDPD-55997: Log4j2 support : Write java patches logs to log file
Log4j2 support : Write java patches logs to log file
CDPD-55994: Ranger Upgrade to 7.1.9 may fail
Fix for ranger upgrade failure
CDPD-55281: Ranger - 7.2.17 - Update NOTICE files
Notice file updated
CDPD-55164: ranger policy replication transform step is not printing logs
Improve ranger policy replication transformation logs
CDPD-54624: [CLONE] - Ranger - Upgrade commons-codec to 1.15
Upgrade commons-codec to 1.15
CDPD-53826: Ranger - Upgrade jettison to 1.5.4 due to CVE-2023-1436
Upgrade jettison to 1.5.4
CDPD-53805: Ozone_key tag based policies are not working
What was the Root Cause? Ozone qualified name parsing had a issue wherein '/' was getting included in the key name which resulted in wrong key matching while enforcing policy How was this Issue Resolved? Logic for parsing ozone qualified name changed such that '/' is not included in the key name which was causing issue previously.
CDPD-53804: Ranger - Upgrade Spring Framework to 5.3.26/6.0.7 due to CVE-2023-20861 and CVE-2023-20860
Upgrade Spring Framework to 5.3.27
CDPD-53440: Ranger audit metrics deletion is failing
Bug fixed for Ranger audit metrics deletion.
CDPD-50720: Regression caused by CDPD-45891
What was the issue? getDeletedGroups() was using incorrect URI. How was the issue fixed? Fix uri for getDeletedGroups() in PolicyMgrUserGroupBuilder
CDPD-50450: Backport HIVE-27201: Inconsistency between session Hive and thread-local Hive may cause HS2 deadlock
Two HS2 sessions can go into a deadlock state with RANGER-3593 and can indefinitely wait for each other. This patch resolves the deadlock condition.
CDPD-50395: Ranger - Upgrade org.json to 20230227+ due to CVE-2022-45688
Removed org.json dependency from Ranger KMS. Ranger KMS does not required this as direct dependency. org.json will be fetch as run time dependency for service Ranger KMS KTS.
CDPD-50299: Ranger - Upgrade Kerby to 2.0.3 due to CVE-2023-25613
Upgrade Kerby to 2.0.3
CDPD-50025: [7.2.17.0] Ranger: upgrade tomcat to 8.5.85 or higher
Upgrade tomcat to 8.5.86
CDPD-50019: Update servicedef by name results in 400 status code while the same request works with update servicedef using id
Update servicedef by name API should return http response code 200
CDPD-49882: [7.2.17 CLONE] - Ranger AD User Sync - support for AD group names containing slashes
Support for LDAP/AD usernames and group names with special chars
CDPD-49774: Tags (classification) are not getting synced when we Add attribute values for classification
Sync Tags (classification) when attribute values for classification is added
CDPD-49711: assignPermissionToUser in XUserMgr creates entries with NULL moduleId in x_user_module_perm
Fixed assignPermissionToUser in XUserMgr to correct the bug which assigns permissions for a module (which does not exist) to users with Auditor role.
CDPD-49701: Ranger S3 policy fails for non recursive access to the root of a bucket
There was an issue in Ranger S3 policies for 7.2.16 Raz-enabled environments where policies with Allow conditions and only read or write were not being honored (i.e., users will be denied) by Ranger and policies with only Deny conditions and only read or write were not being honored (i.e., users will be allowed) by Ranger. This jira fixed this issue and the Ranger S3 policies in Raz-enabled environments would be honored.
CDPD-49651: Ranger Tagsync - Convert to Web Application
This task converts the Ranger Tagsync module into a Web Application.
CDPD-49589: Add yarn and impala users to audit filter for solr servicedef to avoid logging of audits
Add yarn and impala users to audit filter for solr servicedef
CDPD-49588: clientIP is not logged for create/grant/revoke role operations via hive beeline
What was the root cause? Server.getRemoteIp() does not return client ip correctly. How was the issue fixed? Use SessionState to log clientIP in RangerHiveAuthorizer.
CDPD-49373: Groups are not visible in mask and row level policy listing tables.
Fixed that all groups are listed properly in policy listing table
CDPD-48947: Ranger Upgrade from 7.2.11 to 7.2.16 failed
Fix for Ranger upgrade failure from source version CDH-7.2.11
CDPD-48828: [ranger] [replication] Script should not permit N : 1 mappings for services of the same service type
Restrict duplicate mappings to same source service name in ranger replication configuration
CDPD-48394: Ranger is opening a lot of zk connections when solr is down
Making sure that Ranger closes the Zookeeper connection in case when Solr service is not reachable. Also following the configured number of retries to connect to Solr and on given time intervals.
CDPD-48389: Change in api response for get APIs
Ranger REST API response object will not include properties/fields which are NULL or empty/blank. RANGER-3948
CDPD-48337: exportJson api returns all policies in repo when filter string used has reponame and groupName
exportJson api should return ranger policies as per filter specification
CDPD-48322: queryparams repositoryType and groupName are not working for /service/public/api/policy api
Fix for failing get policy API with queryparams
CDPD-48232: [ranger] [replication] Policy transform step is removing hdfs execute permission.
Keep hdfs execute permission during Policy transformation
CDPD-48165: Ranger - Upgrade snakeyaml due to CVE-2022-1471
Upgrade snakeyaml to 2.0
CDPD-48129: [ranger][replication] If a change is made in the resource field of a policy on the source cluster, a new policy is created on the target cluster instead of changing the existing policy
Add support to get matching ranger policies by given algorithm
CDPD-48119: Ranger - Upgrade OWASP Java HTML Sanitizer due to security CVEs
Upgrade OWASP Java HTML Sanitizer
CDPD-48041: Ranger - Upgrade commons-net to 3.9.0 due to CVE-2021-37533
Upgrade commons-net to 3.9.0
CDPD-48032: Ranger - Upgrade jettison to 1.5.2 due to CVE-2022-45685 and CVE-2022-45693
Upgrade jettison to 1.5.2
CDPD-47994: [Ranger] Not able to fetch Policy details using guid /api/policy/guid/{guid} without service name
Fix for failing get policy by GUID API
CDPD-47989: Ranger - Upgrade Netty to 4.1.86.Final due to CVE-2022-41881, CVE-2022-41915
Upgrade Netty to 4.1.86.Final
CDPD-47909: Ranger - Upgrade moment.js to 2.29.4 due to CVE-2022-24785, CVE-2022-31129
Upgrade moment.js to 2.29.4 due to CVE-2022-24785, CVE-2022-31129
CDPD-47900: Log4j2 support in Ranger
Log4j 1.x dependency is removed and upgraded to log4j2
CDPD-47856: Ranger - Upgrade bootbox to 6.0.0 due to GHSA-87mg-h5r3-hw88
Upgrade bootbox to 5.5.3
CDPD-47760: [Ranger][UserSync]Enumerate Groups will give error on executing 'getent group' command
What was the issue? incorrect usage of getent command in UnixUserGroupBuilder How was the issue fixed? Fixed the usage of getent in UnixUserGroupBuilder
CDPD-47464: Alter view command allowed even when user has a deny policy on the underlying table
"Alter View As" queries were not being authorized correctly. This patch addresses the security concern around the authorization of "Alter View As" queries.
CDPD-47056: Fix Ranger TagRest API deleteTagResourceMapByGuid
Fix Ranger TagRest API deleteTagResourceMapByGuid
CDPD-46961: [aws][7.2.7->7.2.16] solr-server error after the DL upgrade
Modified default_value column type to TEXT of x_service_config_def table.
CDPD-46866: [cdpd-master clone] - Ranger - Upgrade Woodstox to 5.4.0/6.4.0 due to multiple CVEs
Upgrade Woodstox to 5.4.0
CDPD-46789: Policy update request fails if isDenyAllElse flag is set true in request json when using "/policy/apply" API
Fix for Policy update request failure when isDenyAllElse flag is set to true in in "/policy/apply" API request json
CDPD-46781: Restrict scripts from accessing Java classes and methods
Improve validation of condition expressions used in Ranger policies.
CDPD-46677: Ranger - Upgrade Woodstox to 5.4.0/6.4.0 due to multiple CVEs
Upgrade Woodstox to 5.4.0
CDPD-46667: Ranger - Upgrade commons-codec to 1.13 or higher
Upgrade commons-codec to 1.14
CDPD-46659: Ranger - Upgrade wildfly-openssl to 1.1.3.Final/1.1.3.Final+ due to CVE-2020-25644
Upgrade wildfly-openssl to 1.1.3.Final
CDPD-46561: Ranger - Upgrade protobuf-java to 3.16.3/3.19.6/3.20.3/3.21.7 due to CVE-2022-3171
Upgrade protobuf-java to 3.21.7 to fix a CVE issue
CDPD-46447: [CR-7.2.17] Add 'preload' directive to HSTS header
Successfully added preload directive in HSTS i.e. Strict-Transport-Security tag in response header.
CDPD-46256: Ranger Audit metrics page broken in New UI
Fixed Audit metrics not loading in New UI
CDPD-46244: [CR-7.2.16] Add 'preload' directive to HSTS header
Successfully added preload directive in HSTS i.e. Strict-Transport-Security tag in response header.
CDPD-46233: knox plugin is not working
Knox service was failing when Audit metrics was enabled. Fix was done to handle the CNF error in knox ranger plugin which took care of this error
CDPD-46161: [ranger][replication] cm_hdfs service wasn't transformed properly
Fix for hdfs service policies transformation failure
CDPD-46160: [ranger][replication] Export should fail for non-existing services
Ranger policy export should fail for non existing services
CDPD-46097: NPE during ranger ctas masking test
This patch addresses the issue where the "SHA512" masked value is not being propagated to Tez executors.
CDPD-45533: AuditFileSpool logs out all events that were not audited successfully
AuditFileSpool should log only those events which are audited successfully
CDPD-44997: Upgrade snakeyaml to 1.32 in ranger-plugins-audit
Upgrade snakeyaml library to 1.32 to fix a CVE issue
CDPD-44645: Investigate alternative for enumerate=true in SSSD conf
Document usersync configs for using FreeIPA
CDPD-44513: HA support for Ranger TagSync
HA support for Ranger TagSync added as part of this new feature enhancement.
CDPD-43640: HA support for Ranger User Sync
HA support for Ranger UserSync added as part of this new feature enhancement.
CDPD-43132: Allow roles, tagrest & xaudit Ranger Admin APIs via knox proxy
This fix allows access to ranger role, tagrest and xaudit ranger admin APIs from knox proxy.
CDPD-43037: Add/ Update metric details for Ranger TagSync
This new feature provides Application specific metrics and JVM metrics details for Ranger Tagsync module.
CDPD-41446: Create common Ranger HA module
Common HA module created as part of this new feature enhancement.
CDPD-40964: Need to update Knox re-write rules to allow access to newer APIs introduced in Ranger
Allow metrics,roles, tagrest & xaudit Ranger Admin APIs via knox proxy
CDPD-39608: RANGER : [cdpd-master] Upgrade Jackson-core and Jackson-databind due to CVE[2020-36518]
Successfully upgraded jackson-core to v2.12.7. and databind to v2.12.7.1
CDPD-38189: Make sure that ranger plug-in can insert audit documents when Solr is upgraded in rolling fashion
When Solr is in Rolling upgrade, plugin audits will be stored in local filesystem when Solr is not able to reachable at any point of time and will be push went available.
CDPD-30591: Provide option to update group memberships when same users/groups are synced from different sync sources
Allow sync source updates for existing users synced via different sync sources
CDPD-29102: Ranger - Remove log4j 1.x dependencies due to EOL
Log4j 1.x dependency is removed and upgraded to log4j2
CDPD-15744: HA support for Ranger Tag Sync/User Sync
HA support for Ranger TagSync and UserSync added as part of this new feature enhancement.

Apache Patch Information

  • RANGER-4241
  • RANGER-4242
  • RANGER-3821
  • RANGER-4163
  • RANGER-4173
  • RANGER-4159
  • RANGER-4135
  • RANGER-4204
  • RANGER-4113
  • RANGER-4112
  • RANGER-4115
  • RANGER-4153
  • RANGER-4131
  • RANGER-4073
  • RANGER-4109
  • RANGER-3947
  • RANGER-4205
  • RANGER-4031
  • RANGER-3975
  • RANGER-3991
  • RANGER-4028
  • RANGER-4043
  • RANGER-3977
  • RANGER-4206
  • RANGER-3995
  • RANGER-3959
  • RANGER-3962
  • RANGER-3957
  • RANGER-3961
  • RANGER-4151
  • RANGER-4150
  • RANGER-4149
  • RANGER-3729
  • RANGER-3498
  • RANGER-4148