Fixed Issues in Apache Ranger

Review the list of Ranger issues that are resolved in Cloudera Runtime 7.2.18.

CDPD-65433: Execute and read permissions granted to a user in different HDFS policies does not take effect.
As part of this bug fix, execute and read permissions granted to a user in different HDFS policies are working as expected. For example:
Policy 1: Granted the "public" group "execute" permission to "/" HDFS policy recursively.
Policy 2: Granted only the "read" permission to the user for "/hdp"
Perform a list on "/hdp”.
CDPD-65310: [7.2.18 CLONE] - Performance degradation while retrieving mapped hive resource for s3 location.
Retrieving mapped hive resource for s3 location will be faster.
CDPD-64800: Classic UI - Security zone form not populate resources value properly while creating and editing zone form.
After the patch, zone form populates resources value properly.
CDPD-63148: RAZ client should encode the authorization URL to support unicode characters
Call to RAZ authorization api to support non-english characters in the URL.
CDPD-62934: Insecure direct object reference
As part of this fix, audit metrics endpoint made secure.
CDPD-61584: [Intermittent] Active NN not getting latest resource mappings from RMS server
NameNode is HA-enabled and both NameNodes send requests to download deltas after the full-sync is performed in RMS; then both NN will get the latest resource mappings from the RMS server.
CDPD-60952: [7.2.18.0] - Add server side validation for service audit filter
As part of this fix added server-side validation for service audit filter.
CDPD-60870: Ranger KMS junit tests are failing
Unsupported cipher removed from UT.
CDPD-57635: 7.2.18 -pre-cdpd-master - Ranger Raz: Need to fix default truststore and keystore type
Replace hard coded jks with KeyStore.getDefaultType for initialising the default store type.
CDPD-60518: Introduce config within Ranger to control retention period of x_trx_log data
Add config within Ranger to control retention period of x_trx_log table data.
CDPD-60268: [7.2.18 - CLONE] - RangerJSONAuditWriter creates new log file for writing ranger audits as JSON every time there is an Exception
Fixes unnecessary new audit log files from getting created.
CDPD-59587: CLONE [7.2.18] - Ranger RMS for Ozone
Ranger RMS will support authorization for Ozone storage locations. RMS for Ozone will co-exist with Hive-HDFS ACL sync and provide authorization for both HDFS and Ozone file systems.
CDPD-59133: CLONE - Ranger[7.2.18] : Upgrade commons-configuration2 to 2.9.0 due to CVEs
As part of this fix, upgraded commons-configuration2 to 2.9.0
CDPD-58569: Ranger - Upgrade Guava to 32.0.1 due to CVE-2023-2976
Upgrade Guava library version to 32.0.1.
CDPD-58493: Ranger - Upgrade Netty Project to 4.1.94.Final due CVE-2023-34462
Upgrade Netty Project to 4.1.94.Final.
CDPD-57453: Atlas Error while writing audits to GCP Datalake
Removed the lib which was causing the conflict.
CDPD-57318: Ranger - Upgrade jackson-dataformat-xml to 2.13.5 due to multiple CVEs in woodstox
Use woodstox-core to 5.4.0 version.
CDPD-57018: Ranger - Upgrade aws-java-sdk to 1.12.367+
Upgrade aws-java-sdk to 1.12.481.
CDPD-56737: Ranger - Upgrade Tomcat to 8.5.89 due to CVE-2023-28709
Upgrade Tomcat to 8.5.89.
CDPD-56384: Ranger - Upgrade Spring LDAP to 2.4.1 due to high CVEs
Upgrade Spring LDAP to 2.4.1.
CDPD-56383: Ranger - Upgrade BeanShell to 2.1b5 due to high CVEs
Upgrade BeanShell to 2.1b5 by upgrading testNG to 7.0.0.
CDPD-56381: Ranger - Upgrade Apache Derby due to critical CVEs
Upgrade Apache Derby to 10.14.2.0.
CDPD-56343: Feature request for Ranger : More than 25 policies per page
This issue is fixed in ranger admin react UI.
CDPD-56300: Introduce config within Ranger to control retention period of x_auth_session data
Add config within Ranger to control retention period of x_auth_session table data.
CDPD-56213: Fix sql patch 65 syntax issue for oracle db
Fix sql patch 65 syntax issue for oracle db.
CDPD-55997: Log4j2 support : Write java patches logs to log file
Log4j2 support : Write java patches logs to log file.
CDPD-55994: Ranger Upgrade to 7.1.9 may fail
Fix for ranger upgrade failure.
CDPD-55572: shell script to export, transform, import of ranger Roles for ranger replication
Shell script to export, transform, import of ranger Roles for ranger replication.
CDPD-55561: Ranger - Upgrade bcpkix-jdk15on to 1.70+ due to CVE-2019-17359
Upgrade bcpkix-jdk15on to 1.70.
CDPD-55459: Ranger - Upgrade Spring Framework to 5.3.27/6.0.8 due to CVE-2023-20863
Upgrade Spring Framework to 5.3.27.
CDPD-55419: Ranger - Upgrade json-smart to 2.4.10 due to CVE-2023-1370
Upgrade json-smart to 2.4.10.
CDPD-55050: Support SELF_OR_PREFIX resource matching scope in Ranger Authorization
API to find whether a user/group/role is authorized to the given operation on any resource of given type.
CDPD-53651: [UMBRELLA] Ranger Replication
Ranger Policy Replication support in Ranger.
CDPD-50564: Add/ Update Additional metric details for Ranger RMS
Add Additional Metrics for Ranger RMS.
CDPD-50395: Ranger - Upgrade org.json to 20230227+ due to CVE-2022-45688
Removed org.json dependency from Ranger KMS. Ranger KMS does not require this as direct dependency. org.json will be fetched as run time dependency for service Ranger KMS KTS.
CDPD-39939: [PAAS] Ranger RMS improvements
Added support for RMS in public cloud (AWS) to track s3 locations of Hive tables and databases.
CDPD-6087: RangerAuthorizationCoprocessor Unable to get remote Address
Issue already fixed in https://issues.apache.org/jira/projects/RANGER/issues/RANGER-3758 https://jira.cloudera.com/browse/CDPD-45528 Log level changed from info to trace.

Apache Patch Information

  • RANGER-4655
  • RANGER-4611
  • RANGER-4461
  • RANGER-4407
  • RANGER-4353
  • RANGER-4342
  • RANGER-4308
  • RANGER-4262
  • RANGER-4257
  • RANGER-4255
  • RANGER-4245
  • RANGER-4242
  • RANGER-4241
  • RANGER-4220
  • RANGER-4212
  • RANGER-4165
  • RANGER-4025
  • RANGER-3758