Ranger
You can review the list of reported issues and their fixes for Ranger in 7.3.1.100.
- CDPD-78204: Alter Rename should not check for the CREATE permission on the database in which renamed table is created
- Alter rename command does not require CREATE permission on the database in which renamed table is created.
- CDPD-78072: Set role command was not audited by Ranger
- The issue is fixed now. Ranger now supports the auditing of the SET ROLE command for Hive plugin.
- CDPD-77948: CSV injection vulnerability during CSV and Excel file export
- When policies are created with the special characters mentioned in the document, there were
vulnerabilities which can be exploited.
The issue is fixed now. Checks have been added to ensure whenever such characters are present, a space after it is added.
- CDPD-77093: Hbase scan operation returns denied columns in result
- In some cases, Ranger authorization returns access results of some HBase data even when the
user is not entitled to.
This issue is fixed now.
- CDPD-76662: RMS server threw ConcurrentModificationException
- The original ConcurrentModificationException was likely thrown when the resource-mappings
were modified in response to changes in the Hive metadata while they were being serialized for
downloading to the NameNode (or secondary-namenode).
The fix is to create a shallow copy of resource-mappings before applying deltas which ensures that resource-mappings are not modified while they are being serialized for downloading to the NameNode.
- CDPD-76630: Ranger Audit Filter for the HBase service was not working as expected
- On the service creation page, while adding audit filters, the resources column includes an
Include/Exclude switch for most resources. The issue was arising when selecting an option in
the switch:
- If
Includewas selected, the isExclude parameter should be false, but it was incorrectly set to true. - If
Excludewas selected, the isExclude parameter should be true, but it was incorrectly set to false.
The issue is fixed now.
- If
- CDPD-76131: A ResourceTrie node referring to modified policy-evaluator was removed even when it contained wildcard-evaluator(s)
- If the policy-deltas were enabled, then when two policies had a common subset of resources
and were defined on same user (or subset of users, through groups or direct users), that time
if one of these policies was modified (on anything: name, resource, user), it was the only one
in effect during access evaluation, until the underlying service was restarted. The underlying
cause was a ResourceTrie node referring to modified policy-evaluator was removed even when it
contained wildcard-evaluator(s).
This fix removes self node from the resourceTrie only if it has no children, no evaluators, and no wildcard-evaluators.
- CDPD-75947: Support SASL bind for Ranger Usersync with AD/LDAP
- Usersync of Ranger supports GSSAPI SASL Bind. For more information see, .
- CDPD-75105: Performance fixes for Ozone plugin
- Fixed the performance issues observed while evaluating policies for multi-level
resources:
- RANGER-4893: Improves policy evaluation for multilevel resource hierarchies.
- RANGER-4922: Reduces time to find tags associated with multilevel resources.
- CDPD-72979: Ranger Tagsync did not support Ozone OFS paths/O3FS recursive feature
- There was no support for OFS path/O3FS recursive feature in 7.3.1. So while you upgraded
from 7.1.9 SP1 CHF3 or higher to 7.3.1, you saw a regression.
This issue has been fixed now in 7.3.1 CHF1. Ozone keys will now be recursively checked for tags and tag based policies. So, tags applied for parent directory will be applicable to subdirectories too. If you are already using tag based policies for Ozone keys and upgrading from 7.1.9 SP1 CHF2 or lower or 7.3.1, and you want the new behavior (i.e. isRecursive=true) for old tagged keys, you need to retag these keys in Atlas.
- CVE-2024-55532 - Apache Ranger
